Persistence through a firewall

Brett Simpson simpsonb at hillsboroughcounty.org
Thu Aug 12 13:06:12 BST 2004


On Wed, 2004-08-11 at 20:15, Horms wrote:
> On Wed, Aug 11, 2004 at 10:28:15AM -0400, Brett Simpson wrote:
> > I have an LVS director that uses wrr with 3600 of persistence for two
> > real servers. I noticed that connections going through a firewall from
> > my internal network tend to get locked into one of my real servers but
> > usually doesn't go to the other real server unless all of the
> > connections have expired to the first real server.
> 
> Are all the connections coming from the same source IP address?
> If so that would explain this behaviour.

Yes. They are coming from behind my firewall from a masqueraded internal
network to my DMZ.

> > 
> > >From what I understood with LVS is it's support to use the source IP
> > >for persistence but I wasn't sure if it also used a source port. 
> 
> The source IP address is used, but the source port is not.
> This is because suscessive connections from the same host will
> almost certainly have a different ephemereal source port.
> 
> There is no parameter in LVS to change this behaviour.
> Though off the top of my head it would seem like a simple
> hack to alter this if you needed to for some reason.

This would definately be useful.

Thanks,
Brett



More information about the lvs-users mailing list