my 32 net guests cannot contact outside 39 net machines on our same network. they can contact other 39 net guests on the same host. conversely, the external 39 net machine cannot contact any 32 net ip on the vserver host or any guest..
the problem i had was when within a 32net guest if i ping a 39 net external host, it goes out our 39 net card to the external host gets answered and routed back into our host on 32net since the source ip header in the packet is 32 net and the system ignores it. setting below to 0 cures that. am i doing something extremely stupid by disabling this or is it secure enough not to worry? we are protected by tons of acls in various routers plus a very strict iptables on the host. i found below in sysctl.conf was set to 1. if i set it to 0 as shown everything works properly.. # Enables source route verification. 0 disables net.ipv4.conf.default.rp_filter = 0 -- Chuck "...and the hordes of M$*ft users descended upon me in their anger, and asked 'Why do you not get the viruses or the BlueScreensOfDeath or insecure system troubles and slowness or pay through the nose for an OS as *we* do?!!', and I answered...'I use Linux'. " The Book of John, chapter 1, page 1, and end of book _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
