LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: can LVS be run ON the firewall box?

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: can LVS be run ON the firewall box?
From: "Lorn Kay" <lorn_kay@xxxxxxxxxxx>
Date: Fri, 23 Feb 2001 02:09:44 -0000
I have a full ipchains firewall script, which works (includes port
forwarding), and a stripped-down ipchains script just for LVS, and they
each work fine separately. When I merge them, I can't reach even just
the firewall box. As I mentioned, I suspect this is because of the
virtual interfaces required by LVS.


I ran into a problem like this when adding firewall rules to my LVS ipchains script. The problem I had was due to the order of the rules.

Remember that once a packet matches a rule in a chain it is kicked out of the chain--it doesn't matter if it is an ACCEPT or REJECT rule(packets may never get to your FWMARK rules, for example, if they do not come before your ACCEPT and REJECT tests).

I am using virtual interfaces as well (eg, eth1:1) but, as Julian points out, I had no reason to apply ipchains rules to a specific virtual interface (even with an ipchains script that is several hundred lines long!)

--L

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com



<Prev in Thread] Current Thread [Next in Thread>