Re: LVS-NAT or direct routing or...?

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: LVS-NAT or direct routing or...?
From: Graeme Fowler <graeme@xxxxxxxxxxx>
Date: Mon, 22 May 2006 19:10:26 +0100
On Mon, 2006-05-22 at 10:49 -0700, Joseph Mack NA3T wrote:
> so this traffic is not on a port that ipvsadm is 
> controlling and LVS ignores these reply packets?

That's the general idea. This is for outbound communication from the
realservers; it's extremely unlikely that they'll use a well-known (and
often priveleged) service port as the source for a new TCP session to
somewhere external.

In context, an example mail server cluster will generally have one or
more of ports 25, 465 and 587 bound to the VIP on the external side of
the director. No well-written MTA will initiate a connection to an
external host using those ports as source.
The same goes for webservers, DB servers and a whole host of others.

That means the LVS doesn't have to be considered, as the netfilter
conntrack code will work perfectly well.

There is, however, an exception - DNS servers can be configured to use
UDP/53 as a source port for queries; in my experience explicitly turning
this off means a tiny proportion of queries will fail. Leaving it turned
on behind a director means that, well, anything could happen... so
making use of a forwarder here is a good solution. Besides, in DNS
operation having a query come from a reversible IP which maps to a
forward name lookup is less important than it is for web or email


<Prev in Thread] Current Thread [Next in Thread>