LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] Curl request from linux director to the virtual ip addre

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>, Viktor Nonov <viktor@xxxxxxxxxxxxxxxx>, Julian Anastasov <ja@xxxxxx>
Subject: Re: [lvs-users] Curl request from linux director to the virtual ip address times out
From: "Carl S. Gutekunst" <csgv1145@xxxxxxxxxx>
Date: Thu, 16 Aug 2018 12:09:20 -0700
On 08/16/2018 11:47 AM, Viktor Nonov wrote:
> Replacing the route enabled successfully sending and delivering  the SYN
> packet to one of the real servers, but the SYN-ACK packet that was received
> was considered by the kernel a martian packet since the source IP was $VIP
> (assigned to the director's local interface) and destination IP - the $DIP.
> This was solved by setting accept_local to 1:
> sysctl -w net.ipv4.conf.all.accept_local=1
>
> ....
> Not sure if setting accept_local to 1 will lead to other problems, but
> everything works okay for now.

I've been arguing with myself over the risk of setting accept_local to 
1. Our operations staff would really like to be able to test connections 
while ssh'd into the director, but the idea that Bad Guys could forge my 
own IPs makes me uncomfortable. Does anyone have field experience with 
this that they can share?

<csg>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>