Hi Chris, > > From my understanding, and experience with this same problem 'connecting > to self' I have observed that connections made from the VS start sockets > on eth0 when one would hope it would use eth0:2. In other words, use the > virtual interface instead of the real one. >
Ah, okay, just tested this... If I lynx to port 8080 on the VS from the host server, in the logs this request appears with the VS's IP instead of the host server's. So it appears that traffic to alias interfaces on the local machine always appears to originate from that same alias interface... That's a slightly different issue to what you're talking about. But it doesn't really explain why the iptables rules don't work, since those rules are not placing any restriction on the source address. Presumably it instead means the rule is not getting executed at all. > Another related issue: > If you send youself some email from your VS account to an account on a > different server and look at the headers you will see that your host > server will be exposed due to the fact that the smtp server you connect > to will do a reverse lookup on your ip and discover the host server, not > the vs, since the packets originate from there. > Yep, not sure that could be fixed without hacking the Linux IP stack. > I think this is probably the biggest problem with running an effective > VS at the moment. Here is my understanding: If all VS' connections > originate from '127.0.0.1' on the host server, do all my clients have > access to VSD protocol? Yes. You have to allow it to be able to use > vsdadm from the command line. I'm sure there plenty of other reasons to > want VS' connections to originate from the VS' ip not the host's ip, and > not allow access to 127.0.0.1 from the VS. As long as you use the SSL version of VSD this shouldn't be a problem since the VS users won't have access to your certificate. (They'll be able to connect to the svsd service but won't be able to authenticate. Just like they can probably connect to your ssh service but can't login.) Cheers, Simon ------------------------- The freeVSD Support List -------------------------- Subscribe: mailto:[EMAIL PROTECTED]?body=subscribe%20freevsd-support Unsubscribe: mailto:[EMAIL PROTECTED]?body=unsubscribe%20freevsd-support Archives: http://freevsd.org/support/mail-archives/freevsd-support -----------------------------------------------------------------------------
