On Fri, Jan 05, 2007 at 01:34:43AM +0000, Jefferson Ogata wrote: > On 2007-01-04 22:43, Gary Mills wrote: > > I've already found most of those. There are lots of daemons that will > > forward TCP connections. I've tried some of them. The problem with > > them is that they initiate new connections. That means that the > > originating IP address is lost. I want to preserve that information > > so that client logging works correctly on the destination server. > > Think about what actually would happen in your desired scenario: > > 1. Remote client C sends a SYN packet from source endpoint C:P to > service destination endpoint D:S, which resides on a translating box D. > On the client, the socket is in SYN_SENT state with remote endpoint D:S. > > 2. Translating box receives SYN packet and translates destination to E:T > and retransmits it to serving box E. So now the SYN packet is C:P -> E:T. > > 3. Serving box E receives the SYN packet and responds with a SYN/ACK > from E:T -> C:P. The socket on the serving box is in SYN_RCVD state with > remote endpoint C:P. Since the SYN/ACK destination C is remote, E sends > the packet out through the default router, so the translating box D > never sees this packet. > > 4. Client box C receives SYN/ACK from E:T and discards it, because it > has no pending TCP connection in SYN_SENT state with E:T as the remote > endpoint.
Thanks for the detailed explanation. Obviously my knowledge of TCP is lacking, or I would have already known why it couldn't work. It was all this talk of `rdr must go through the firewall' that confused me. > There is cluster load balancing that relies on shared IPs and ARP > balancing and does no translation of destinations, but this is a > completely different animal from IP Filter and requires a specialized > network setup. The one I was thinking about is Sun Cluster, although I can only guess how it works from what I've read so far. The documentation does say that ipfilter can't be run on cluster nodes. I assumed this was because the cluster software already uses the pfil streams module for its own purposes. Cluster nodes typically are all connected to the same network. However there is a private interconnect between nodes. I suppose that could be used to redirect connections to other nodes. -- -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
