Re: [lvs-users] solved: last FIN-ACK eaten (by iptables)

lvs-users

Re: [lvs-users] solved: last FIN-ACK eaten (by iptables)

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: [lvs-users] solved: last FIN-ACK eaten (by iptables)
From:	"Laurentiu C. Badea (L.C.)" <lc@xxxxxxxx>
Date:	Fri, 12 Sep 2008 09:59:52 -0700

Brian Ghidinelli wrote:
> 
> A blanket ACCEPT rule on outgoing traffic doesn't seem very secure for a 
> firewall, though.

It isn't, and in my case there's a firewall in front of the LVS.

Outgoing FORWARDed traffic is not the one allowed though, it is the 
traffic originating on the LVS machine itself, the OUTPUT chain in the 
main table which is usually left open anyway.

Since then I have noticed the INPUT chain would have blocked the same 
packet in the same configuration, so both INPUT and OUTPUT need to have 
a stateless ACCEPT on that tcp port for the LVS to work.

--
Laurentiu

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] solved: last FIN-ACK eaten (by iptables), Laurentiu C. Badea (L.C.) Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Joseph Mack NA3T Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Laurentiu C. Badea (L.C.) Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Brian Ghidinelli Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Christian Balzer Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Laurentiu C. Badea (L.C.) <=

Previous by Date:	Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Christian Balzer
Next by Date:	[lvs-users] LVS + Xen + NAT, Josh Mullis
Previous by Thread:	Re: [lvs-users] solved: last FIN-ACK eaten (by iptables), Christian Balzer
Next by Thread:	[lvs-users] LVS + Xen + NAT, Josh Mullis
Indexes:	[Date] [Thread] [Top] [All Lists]