[lvs-users] LVS TUNEL/DR模式的半连接会被防火墙拦截吗?

JWD j-wd at 163.com
Tue Sep 8 07:31:17 BST 2015


hi,
Thank you for your reply.
I still confused.

Think about this:
Client ----> FireWall(find MAC of LVS) ----> LVS(find MAC of RealServer) ----> RealServer(reponse with MAC of RealServer) ----> FireWall(What MAC of VIP in ARP table?)

My question is , at last step:
Will firewall check MAC of VIP? Or igore it?
What MAC of VIP in firewall's ARP table? MAC of LVS? Or MAC of RealServer?




JWD

发件人: Aaron West
发送时间: 2015-09-08 05:57
收件人: LinuxVirtualServer.org users mailing list.; j-wd
主题: Re: [lvs-users] LVS TUNEL/DR模式的半连接会被防火墙拦截吗?
Hi, 


I hope you don't mind me trying to answer in English.


If the question is will the firewall drop the packet if IP spoofing protection is enabled then I suspect the answer is yes. The reply will come from the real server's MAC address but sourced from the VIP address so I'd recommend disabling any spoofing protection.


Hope that helps.


Aaron West


Loadbalancer.org Limited

+44 (0)330 380 1064
www.loadbalancer.org


2015-09-05 9:00 GMT+01:00 JWD <j-wd at 163.com>:

看了LVS的文档,觉得TUNEL/DR模式的半连接应该算是IP欺骗,这种方式会被防护墙拦截吗?
还是说只要数据包里的源IP/目标IP/序列号对的上号,会话就不会有问题?

--------------
JWD
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
Send requests to lvs-users-request at LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


More information about the lvs-users mailing list