Hello, On 01/25/2016 04:17 PM, Willy Tarreau wrote: > On Mon, Jan 25, 2016 at 04:46:36PM +0200, mat.mar...@yahoo.com wrote: >> On 20.01.2016 12:31, mat.mar...@yahoo.com wrote: >>> Just a short correction. >>> Before was from an allowed IP. >>> This is the output from a not allowed IP : >>> >>> ~# telnet eumail.domain.com 25 >>> Trying X.X.X.X... >>> Connected to eumail.domain.com. >>> Escape character is '^]'. >>> Connection closed by foreign host >>> >>> >>> >> So... there's no solution to drop the request before forwarding behind? > > What do you mean, that's exactly what you did in the example above ? >
I think there is a misunderstanding here. @Mat - there is no way for HAproxy to drop connections like a firewall does, because the firewall will match the first packet, a SYN and then drop it immediately. HAproxy is only "notified" about the connection once it has gone through the three way handshake (in the kernel) and can only drop the connection after. In both cases the request is not forwareded to the backend server, what you are seeing is merely the connection between the client and HAproxy. This is why there is a difference in the telnet output. Regards, Nenad > Willy > >
