|
>>>>> "Julian" == Julian Anastasov <uli@xxxxxxxxxxxxxxxxxxxxxx> writes:
Julian> Yep, in VS/NAT mode you use the Director as default
Julian> gateway for the real servers but for VS/DR and VS/TUN
Julian> methods you have to use transparent proxy in the Director
Julian> to receive packets for the VIPs. By this way if the
Julian> Director thinks the VIP is not local, the outgoing packets
Julian> will be successfully forwarded to the client.
I hadn't thought of using transparent proxying. I'll see what that
will give me.
Julian> The source address checking is very restrictive. We
Julian> can't control via /proc/sys/net/ipv4/conf/*/rp_filter
Julian> packets with saddr=local_ip daddr=non_local_ip,
Julian> i.e. forwarded packets, even when we use two different
Julian> network devices to distinguish the source of the packet:
Julian> real server or external client.
I figured the spoof code as part of the problem, however, even with
echo 0 > .../rp_filter this doesn't work. That's a bug, IMHO. Not
very secure, but a bug just the same (even if it's only a
documentation bug).
--
Stephen
"So if she weighs the same as a duck, she's made of wood."... "And
therefore?"... "A witch!"
|
