|
Nice. This about does the trick on the realservers:
iptables - A OUTPUT -p tcp --dport 113 -j REJECT
One last question, the above command reduces the wait to 3 seconds as
opposed to 30 seconds. However it also increases the delay of rshing
to the RIP from 0 to 3 seconds. Is there any way to further tune the
command?
Thanks.
djm
David Merhar
(512) 835-3611
merhar@xxxxxxxxxxxxxxxx
On Dec 19, 2008, at 10:40 AM, Graeme Fowler wrote:
> On Fri, 2008-12-19 at 10:20 -0600, David Merhar wrote:
>> Alright, maybe some progress.
>>
>> the strace on in.rlogind (strace -pf <xinetd PID>) shows the
>> hangup on
>> connect(0, {sa_family=AF_INET sin_port=htons(113) sin_addr(DIP)},
>> 128) - typed, so probably not perfect.
>
> Make sure you REJECT rather than DROP ident lookups on the director,
> or
> even better configure the realservers to REJECT them in the OUTPUT
> chain
> on the outgoing interface.
>
> If they get DROPped, then the calling process will exhibit the exact
> hangup you're seeing. This is very, very common in SMTP systems using
> ident lookups with badly configured firewalls.
>
> Graeme
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
