[lvs-users] LVS TUNEL/DR模式的半连接会被防火墙拦截吗?

JWD j-wd at 163.com
Tue Sep 8 07:31:17 BST 2015

Thank you for your reply.
I still confused.

Think about this:
Client ----> FireWall(find MAC of LVS) ----> LVS(find MAC of RealServer) ----> RealServer(reponse with MAC of RealServer) ----> FireWall(What MAC of VIP in ARP table?)

My question is , at last step:
Will firewall check MAC of VIP? Or igore it?
What MAC of VIP in firewall's ARP table? MAC of LVS? Or MAC of RealServer?


发件人: Aaron West
发送时间: 2015-09-08 05:57
收件人: LinuxVirtualServer.org users mailing list.; j-wd
主题: Re: [lvs-users] LVS TUNEL/DR模式的半连接会被防火墙拦截吗?

I hope you don't mind me trying to answer in English.

If the question is will the firewall drop the packet if IP spoofing protection is enabled then I suspect the answer is yes. The reply will come from the real server's MAC address but sourced from the VIP address so I'd recommend disabling any spoofing protection.

Hope that helps.

Aaron West

Loadbalancer.org Limited

+44 (0)330 380 1064

2015-09-05 9:00 GMT+01:00 JWD <j-wd at 163.com>:


Please read the documentation before posting - it's available at:

LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
Send requests to lvs-users-request at LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

More information about the lvs-users mailing list