Just an update that the issue with iptables is not being ignored. However, we have been concentrating on removing the need for iptables by getting Apache to run securely on port 80.... Details as soon as the testing is completed..
Tim > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Simon Garner > Sent: 10 December 2001 02:22 > To: Chris Fulton > Cc: freevsd-support > Subject: Re: [Openvds-devel] iptables > > > Hi Chris, > > > > > From my understanding, and experience with this same problem 'connecting > > to self' I have observed that connections made from the VS start sockets > > on eth0 when one would hope it would use eth0:2. In other words, use the > > virtual interface instead of the real one. > > > > Ah, okay, just tested this... If I lynx to port 8080 on the VS > from the host > server, in the logs this request appears with the VS's IP instead of the > host server's. So it appears that traffic to alias interfaces on the local > machine always appears to originate from that same alias interface... > > That's a slightly different issue to what you're talking about. But it > doesn't really explain why the iptables rules don't work, since > those rules > are not placing any restriction on the source address. Presumably > it instead > means the rule is not getting executed at all. > > > > Another related issue: > > If you send youself some email from your VS account to an account on a > > different server and look at the headers you will see that your host > > server will be exposed due to the fact that the smtp server you connect > > to will do a reverse lookup on your ip and discover the host server, not > > the vs, since the packets originate from there. > > > > Yep, not sure that could be fixed without hacking the Linux IP stack. > > > > I think this is probably the biggest problem with running an effective > > VS at the moment. Here is my understanding: If all VS' connections > > originate from '127.0.0.1' on the host server, do all my clients have > > access to VSD protocol? Yes. You have to allow it to be able to use > > vsdadm from the command line. I'm sure there plenty of other reasons to > > want VS' connections to originate from the VS' ip not the host's ip, and > > not allow access to 127.0.0.1 from the VS. > > As long as you use the SSL version of VSD this shouldn't be a > problem since > the VS users won't have access to your certificate. (They'll be able to > connect to the svsd service but won't be able to authenticate. Just like > they can probably connect to your ssh service but can't login.) > > Cheers, > > Simon > > ------------------------- The freeVSD Support List > -------------------------- > Subscribe: mailto:[EMAIL PROTECTED]?body=subscribe%20freevsd-support > Unsubscribe: mailto:[EMAIL PROTECTED]?body=unsubscribe%20freevsd-support Archives: http://freevsd.org/support/mail-archives/freevsd-support ---------------------------------------------------------------------------- - ------------------------- The freeVSD Support List -------------------------- Subscribe: mailto:[EMAIL PROTECTED]?body=subscribe%20freevsd-support Unsubscribe: mailto:[EMAIL PROTECTED]?body=unsubscribe%20freevsd-support Archives: http://freevsd.org/support/mail-archives/freevsd-support -----------------------------------------------------------------------------
