On Friday 11 April 2008 23:38:30 JST, Joseph Mack NA3T wrote: > On Fri, 11 Apr 2008, Jason Stubbs wrote: > >>> Is there any problem with essentially hiding the real > >>> servers from netfilter? > >> > >> I don't know what this means (I didn't know that netfilter > >> knew about the realservers). > > > > I mean that it'd be nice for rules to go something like: > > * Allow from external to VIP > > * Allow anything established > > * Drop everything else > > > > Depending on where LVS translations are placed in the netfilter path, > > rules allowing traffic from external to RIPs may also be needed. > > I would hope people don't do this. RIPs should be private, > for security reasons and to preserve the fiction that the > LVS setup is one machine. This is precisely why I chose the hooks that I did. My intention was for the netfilter chains to only ever see the VIP, but packets with the RIP are going through too after IP_VS_XMIT is called. > The LVS'ed application running on the realserver might start a client > process that needs to contact 0/0, but that can be nat'ed out, possibly > through the VIP on the director, or maybe some other public IP available to > the realserver. Is this what you want to do? > > see > http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-DR.html#Pearthree I didn't quite follow this. Are you referring to services such as FTP? Nothing should have changed in this regard with my patch. The link did remind me that I need to test the sync daemon with my patch though. :) > I take it that you're working late at night on this :-) Nope, I'm not that crazy. Just reading and responding to work emails from home as per usual. ;) -- Jason Stubbs -- To unsubscribe from this list: send the line "unsubscribe lvs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
