hi,
Thank you for your reply.
I still confused.
Think about this:
Client ----> FireWall(find MAC of LVS) ----> LVS(find MAC of RealServer) ---->
RealServer(reponse with MAC of RealServer) ----> FireWall(What MAC of VIP in
ARP table?)
My question is , at last step:
Will firewall check MAC of VIP? Or igore it?
What MAC of VIP in firewall's ARP table? MAC of LVS? Or MAC of RealServer?
JWD
发件人: Aaron West
发送时间: 2015-09-08 05:57
收件人: LinuxVirtualServer.org users mailing list.; j-wd
主题: Re: [lvs-users] LVS TUNEL/DR模式的半连接会被防火墙拦截吗?
Hi,
I hope you don't mind me trying to answer in English.
If the question is will the firewall drop the packet if IP spoofing protection
is enabled then I suspect the answer is yes. The reply will come from the real
server's MAC address but sourced from the VIP address so I'd recommend
disabling any spoofing protection.
Hope that helps.
Aaron West
Loadbalancer.org Limited
+44 (0)330 380 1064
www.loadbalancer.org
2015-09-05 9:00 GMT+01:00 JWD <j-wd@xxxxxxx>:
看了LVS的文档,觉得TUNEL/DR模式的半连接应该算是IP欺骗,这种方式会被防护墙拦截吗?
还是说只要数据包里的源IP/目标IP/序列号对的上号,会话就不会有问题?
--------------
JWD
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|