Hi Robert,
--On 10. August 2008 10:04:37 -0400 Robert Spangler
<mlists@xxxxxxxxxxxxxxxx> wrote:
On Sunday 10 August 2008 08:36, Dirk H. Schulz wrote:
That works as expected. If e.g. I ping from an inside server to
somewhere outside, ICMP request leaves via router2, the answer comes
back via router1. conntrack -e on router1 shows this session (as
unreplied), BUT the firewall blocks it as new connection - that means
iptables does not recognize conntrackd's addition to the session table.
First off if you have traffic leaving one router and coming back on
another router that is Asynchronous routing and is not a good thing, as
you are seeing.
Firewall 1 doesn't know what firewall 2 is doing so firewall 1 is going
to block this traffic as it was setup to do. Firewall 1 is thinking
this is a new connection.
That is why I used conntrack-tools to synchronize the session tables of
both firewalls. According to "conntrackd -e" it works - it shows (e. g. on
router 1) the sessions that have been synchronized over (e.g. from router
2).
But the sync'd sessions seem not to bother netfilter.
Since I don't know your setup my question is;
1. how many Internet connections do you have?
This is still in setup phase, but they will be very many.
2. does router 2 have a valid public ip on the interface connecting to
the Internet?
Yes. Both routers have public ips as they both are connected to upstream
routers.
Dirk
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
