Hmmm. I don't understand.
I still have Source Route Verification turned on on the Director. The VIP
resides on the real servers only, on their respective tunl0 device. In this
setup, where is the spoof coming in?
-----Original Message-----
From: Julian Anastasov [mailto:ja@xxxxxx]
Sent: Monday, July 08, 2002 5:59 PM
To: Jeff
Cc: Joseph Mack; lvs-users@xxxxxxxxxxxxxxxxxxxxxx; Horms
Subject: RE: FW: LVS-Tun and Fwmarks
Hello,
On Mon, 8 Jul 2002, Jeff wrote:
> Thanks to Julian and Joe, I've got the LVS-Tun working using the Director
as
> the default gateway of the real servers.
I could not recommend this setting for your setup.
Now you allow spoofing (src=VIP) from the external side. Note
that the recommendation is to open the check only for the real
servers, even "internal" clients can make problems for the
director if they can let the director to accept packet with
src IP=VIP. Of course, if you care you can solve this problem
with firewall rules.
> ip rule add prio 100 fwmark 1 table 100
> ip route add local 0/0 dev lo table 100
> Jeff
Regards
--
Julian Anastasov <ja@xxxxxx>
|