LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: can LVS be run ON the firewall box?

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: can LVS be run ON the firewall box?
From: "Lorn Kay" <lorn_kay@xxxxxxxxxxx>
Date: Mon, 26 Feb 2001 23:55:07 -0000
FWMARKing does not have to be a part of an ACCEPT rule.

If you have a default DENY policy and then say:

/sbin/ipchains -A input -d $VIP -j ACCEPT
/sbin/ipchains -A input -d $VIP 80 -p tcp -m 3
/sbin/ipchains -A input -d $VIP 443 -p tcp -m 3

To maintain persistence between port 80 and 443 for https, for example, the packets will match on the ACCEPT rule, get kicked out of the input chain tests, and never get marked.

--L

From: Brian Edmonds <bedmonds@xxxxxxxxxxx>
Reply-To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: can LVS be run ON the firewall box?
Date: Fri, 23 Feb 2001 08:05:26 -0800 (PST)

"Lorn Kay" <lorn_kay@xxxxxxxxxxx> writes:
> Remember that once a packet matches a rule in a chain it is kicked out
> of the chain--it doesn't matter if it is an ACCEPT or REJECT
> rule(packets may never get to your FWMARK rules, for example, if they
> do not come before your ACCEPT and REJECT tests).

Huh?  FWMARK rules?  I've never seen those.  Last I looked a fwmark is
added with a -m flag on an ACCEPT rule -- at least it certainly works
that way on my LVS routers.  (Ok, you could probably mark a REJECT or
DENY rule, but it would be pretty pointless.)

Brian.

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com



<Prev in Thread] Current Thread [Next in Thread>