[CentOS] Not firewall, but what?
Les Mikesell
lesmikesell at gmail.com
Tue May 11 15:50:52 UTC 2010
On 5/11/2010 8:32 AM, Jussi Hirvi wrote:
>> Jussi Hirvi wrote:
>>> But I have found no mention of this specific dual-bridge
>>> problem I have: that ip traffic goes in ok through any physical nic to
>>> the dom0 or domUs, but all replies are routed to only one nic (the
>>> default gateway). (I verified this with tcpdump.)
>
> On 11.5.2010 16.08, Les Mikesell wrote:
>> That's not xen or bridge related. Unless you do policy-based routing, packets
>> always follow the destination route regardless of where the input was received.
>> That's a feature, not a bug.
>
> Ok. But this error does not occur on my other CentOS 5 box (mailserver,
> non-xen) which also has 2 nics for 2 public ip segments. There input-nic
> is always = outputnic. And I have done nothing special to achieve this
> (pure "linux magic"). That's why I "blame" bridges - they are the most
> notable difference between these two machines.
That doesn't make much (any?) sense. IP traffic is always
destination-routed unless you do something unusual. On the other hand,
even if you send out to the 'wrong' internet gateway following your
default route, any internet connection should be able to deliver to any
internet destination. Asymmetrical routing is both permitted and
normal, although not necessarily desirable and it may not make it
through stateful firewalls.
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list