----- Original Message -----
From: "Ivan Figueredo" <idf@xxxxxxxxxxxxxx>
To: "Julian Anastasov" <ja@xxxxxx>
Sent: Saturday, January 20, 2001 10:53 AM
Subject: Re: Setting up a one network VS-NAT LVS
Julian,
>
> ----- Original Message -----
> From: "Julian Anastasov" <ja@xxxxxx>
> To: "Ivan Figueredo" <idf@xxxxxxxxxxxxxx>
> Cc: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
> Sent: Saturday, January 20, 2001 12:43 PM
> Subject: Re: Setting up a one network VS-NAT LVS
>
>
> >
> > Hello,
> >
> > On Sat, 20 Jan 2001, Ivan Figueredo wrote:
> >
> > > OK - Is there a web site or book that you can recommend that shows how
> to
> > > debug/understand TCP/IP packets?
> >
> > The RFC documents are your friends:
>
Will do.
>
> > http://www.ietf.cnri.reston.va.us/rfc.html
> >
> > The numbers you need:
> >
> > 793 TRANSMISSION CONTROL PROTOCOL
> > 1122 Requirements for Internet Hosts -- Communication Layers
> > 1812 Requirements for IP Version 4 Routers
> > 826 An Ethernet Address Resolution Protocol
> >
> > man tcpdump can help to understand its outputs. I don't
> > remember for other documents. May be someone else has better
> > information :)
> >
> > > >...BTW, the same level of security can be achieved using LVS/DR
> > > > where the real servers have private addresses as in the NAT setup.
May
> > > > be Joe have this info in the HOWTO.
> > >
> > > You have anticipated my next question! Thx. this IS the way I will
> > > eventually need to set it up, as REAL IP addresses on the Internet are
> > > scarce.
> >
> > Yes, put the same private addresses in the real servers, the
> > same def gw IP from the private network and add the VIPs on the loopback
> > adapter. I don't remember for other requirements. By default, when
> > the devices where the VIPs are defined in the real server are hidden,
> > so this feature does not allow the VIPs to be autoselected from the
> > kernel as source address for outgoing connections. VIP can be used
> > in connections if you bind to VIP and when the director feeds us
> > with packets with daddr=VIP. So, if you don't put other publicly
> > visible IP addresses in the real servers I don't see a reason why the
> > NAT setup will be more secure than this one.
>
Hmm, Interesting...I will trying this when I am ready for showtime...
Ivan
>
> > > Regards,
> > >
> > > Ivan
> >
> >
> > Regards
> >
> > --
> > Julian Anastasov <ja@xxxxxx>
> >
> >
>
|