On Fri, 2002-11-22 at 19:47, William L. Thomson Jr. wrote: > Actually if you create the proper rules, there are gateways defined in a > table prior to the multipath. So if the route is know via cache, it will > take a known gateway. > Yes. > Otherwise if it is not, it will be compared to each table, and then > finally hit the multipath equalize one and go from there. > > > But in such situation, the sraddr in the replies packets are likely to > > be set to the one on which the original request came on. > > Which will use the rules if defined. They should be there. Yes. > Haven't really seen and problems there. So far from my experience my DNS > queries use both TCP and UDP. I have not seen and problems effecting UDP > and not TCP. But DNS lookups are quick and short, as most UDP services, > so there could be some problems there that are not effecting me in my > current scenario. > That's good news. Normally, TCP port 53 is only used for zone transferts, while UDP port is used for DNS queries. If you don't see anything strange in your logs, such as "connection reset by peer", then it means it works fine. Well, you probably already figured this out :-) Did you tried with other UDP services ? (like timed for instance) If it works for simple UDP servers like timed, then I would definitly consider linux as the best OS in the world ;-) > > Also, if our ISPs don't do rp_filtering, then we don't care what link is > > beeing used for the replies, as soon as the saddr is correct. > > Not sure here, I never got into that aspect. I just assumed they did do > rp filtering. I played with turing rp filtering on in the Linux router, > but in the end left it on or what ever the default is. Anyway, if the do, it should be simple to ask them to disable rp_filtering. I had some talks with my ISP some days ago, and according to them, most ISPs don't bother with rp_filtering, except for private netblocks trying to 'escape' in case of a broken NAT configuration. -- Vincent Jaussaud Kelkoo.com Security Manager email: tatooin@kelkoo.com "The UNIX philosophy is to design small tools that do one thing, and do it well." _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
