|
Roberto Nibali wrote:
> Hence every packet only passes through one of the
> three chains; previously a forwarded packet would pass
> through all three.
works much better now :-)
> Did you add the policy DENY to INPUT and OUTPUT chains?
well no. On the director I'm only adding rules for the device
carrying the VIP. I tell it to accept packets for each VIP:service
and to REJECT all others. I haven't thought how to handle
the OUTPUT chain yet, since it could be on the same device
or it could be on another NIC. For the moment I'm leaving
the real-server network unfiltered.
When packets get to the real-servers, they are filtered with
the same rules as for the director (it's the same piece
of code being run again). Here I filter for the packets
arriving on the real-server's network device and with dest=VIP.
Should I still have DENY on INPUT and OUTPUT?
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
