LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: FW: LVS-Tun and Fwmarks

To: "Julian Anastasov" <ja@xxxxxx>, "Jeff" <golfer2@xxxxxxxxxxxxxx>
Subject: RE: FW: LVS-Tun and Fwmarks
Cc: "Joseph Mack" <mack.joseph@xxxxxxx>, <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>, "Horms" <horms@xxxxxxxxxxxx>
From: "Jeff" <golfer2@xxxxxxxxxxxxxx>
Date: Mon, 8 Jul 2002 15:08:58 -0400
Hmmm.  I don't understand.

I still have Source Route Verification turned on on the Director.  The VIP
resides on the real servers only, on their respective tunl0 device.  In this
setup, where is the spoof coming in?

-----Original Message-----
From: Julian Anastasov [mailto:ja@xxxxxx]
Sent: Monday, July 08, 2002 5:59 PM
To: Jeff
Cc: Joseph Mack; lvs-users@xxxxxxxxxxxxxxxxxxxxxx; Horms
Subject: RE: FW: LVS-Tun and Fwmarks



        Hello,

On Mon, 8 Jul 2002, Jeff wrote:

> Thanks to Julian and Joe, I've got the LVS-Tun working using the Director
as
> the default gateway of the real servers.

        I could not recommend this setting for your setup.
Now you allow spoofing (src=VIP) from the external side. Note
that the recommendation is to open the check only for the real
servers, even "internal" clients can make problems for the
director if they can let the director to accept packet with
src IP=VIP. Of course, if you care you can solve this problem
with firewall rules.

> ip rule add prio 100 fwmark 1 table 100
> ip route add local 0/0 dev lo table 100

> Jeff

Regards

--
Julian Anastasov <ja@xxxxxx>




<Prev in Thread] Current Thread [Next in Thread>