> > It seems you can safely alter the TOS for all packets > entering your box/site. > Ok, I'll dig into this tip, and see how it goes. If I can't figure out this NAT problem, I'll do this. > May be you can hunt it with tcpdump. I assume your are > using the patches because the plain kernel has the same problem > for NAT. > Yes, I am running your patch. Kernel is 2.2.22 with routes-2.2.20-7.diff patch applied. (I'm sure of this, otherwise dead gateway detection will simply not work.) My question is, if we ensure that EVERY packets, whatever path they use to arrive, finally pass through a single peer doing NAT, is this suppose to work around my TOS problem ? Eg, end services will only see packets coming from the last NAT address, which is single whatever path packets used to arrive. Something like: LAN --> Multipath Firewall | | GW1 GW2 | | ------------------- | Gateway (NAT) | --------- Remote Network What about the rp_filter kernel value ? Could it be a problem in such setup ? Thanks again. Vincent. > > A big thanks to both of you. I've learned a lot today :) > > > > Thanks again. > > Regards, > > Vincent. > > Regards > > -- > Julian Anastasov <ja@ssi.bg> > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Vincent Jaussaud Kelkoo.com Security Manager email: tatooin@kelkoo.com "The UNIX philosophy is to design small tools that do one thing, and do it well." _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
