On Thu, Sep 28, 2006 at 07:35:09PM -0400, Chuck wrote:
my 32 net guests cannot contact outside 39 net machines on our same
network. they can contact other 39 net guests on the same host.
conversely, the external 39 net machine cannot contact any 32 net ip
on the vserver host or any guest..
I assume you mean something like 10.32.0.x/24 and 10.39.0.y/24
here (well, at least it sounds like that is what you mean)
the problem i had was when within a 32net guest if i ping a 39 net
external host, it goes out our 39 net card to the external host gets
answered and routed back into our host on 32net since the source ip
header in the packet is 32 net and the system ignores it.
yes, by default, the host is allowed to choose any network
address which is assigned to an interface, the reverse path
filter basically blocks packets which could not have originated
from that interface, because it does not hold that ip
setting below to 0 cures that.
so, what you basically did, is to allow the packets to leave
the interfaces with an ip from a different interface/routing
too (which is harmless, but probably not what you actually
wanted)
am i doing something extremely stupid by disabling this or is it
secure enough not to worry?
we are protected by tons of acls in various routers plus a very
strict iptables on the host.
the better approach would be to set up two routing tables,
(given that there are two nics/routes on the host), and
use source based routing to figure the proper interface
but if that 'works for you' then it is no big deal, as I
said, it's usually off by default ...
HTH,
Herbert
i found below in sysctl.conf was set to 1. if i set it to 0 as shown
everything works properly..
# Enables source route verification. 0 disables
net.ipv4.conf.default.rp_filter = 0
--
Chuck
"...and the hordes of M$*ft users descended upon me in their anger,
and asked 'Why do you not get the viruses or the BlueScreensOfDeath
or insecure system troubles and slowness or pay through the nose
for an OS as *we* do?!!', and I answered...'I use Linux'. "
The Book of John, chapter 1, page 1, and end of book
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver