|
On Wed, 5 Jul 2006, John Gray wrote:
The boxes have to go through the LVS box to talk to outside world. It
works fine for local names. Its when they need to talk to outside name
servers that issue happens.
The design of the LVS expects that the realservers do not
talk to the outside world. This is so that the clients (or
outside world) see only a single server and cannot tell that
multiple boxes are involved. This is a matter of clean
design as well as not exposing your realservers to attacks
from the outside - you only have to guard the NIC on the
outside of the director.
Can you get the realservers to query the director(s) and
have the directors query the outside world.
If I had hazard a guess, I'd say the fact that bind is set to force the
source port set to 53 is part of the problem.
you aren't going to get replies through to the realservers
unless you NAT the tcp and udp calls to 0/53.
And the problem definitely coincides with the new kernel. I'm making
some assumptions here, but I *think* the replies to external queries
aren't making back to real server that made request (perhaps its going
to another real server).
a reasonable explanation.
The problem is coming and going. Its not happening right now, so I
can't get any captures.
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
| 