[CentOS] Not firewall, but what?

Tue May 11 15:50:52 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

On 5/11/2010 8:32 AM, Jussi Hirvi wrote:
>> Jussi Hirvi wrote:
>>> But I have found no mention of this specific dual-bridge
>>> problem I have: that ip traffic goes in ok through any physical nic to
>>> the dom0 or domUs, but all replies are routed to only one nic (the
>>> default gateway). (I verified this with tcpdump.)
>
> On 11.5.2010 16.08, Les Mikesell wrote:
>> That's not xen or bridge related.  Unless you do policy-based routing, packets
>> always follow the destination route regardless of where the input was received.
>>     That's a feature, not a bug.
>
> Ok. But this error does not occur on my other CentOS 5 box (mailserver,
> non-xen) which also has 2 nics for 2 public ip segments. There input-nic
> is always = outputnic. And I have done nothing special to achieve this
> (pure "linux magic"). That's why I "blame" bridges - they are the most
> notable difference between these two machines.

That doesn't make much (any?) sense.  IP traffic is always 
destination-routed unless you do something unusual.  On the other hand, 
even if you send out to the 'wrong' internet gateway following your 
default route, any internet connection should be able to deliver to any 
internet destination.  Asymmetrical routing is both permitted and 
normal, although not necessarily desirable and it may not make it 
through stateful firewalls.

-- 
   Les Mikesell
    lesmikesell at gmail.com