>
> It seems you can safely alter the TOS for all packets
> entering your box/site.
>
Ok, I'll dig into this tip, and see how it goes.
If I can't figure out this NAT problem, I'll do this.
> May be you can hunt it with tcpdump. I assume your are
> using the patches because the plain kernel has the same problem
> for NAT.
>
Yes, I am running your patch. Kernel is 2.2.22 with routes-2.2.20-7.diff
patch applied. (I'm sure of this, otherwise dead gateway detection will
simply not work.)
My question is, if we ensure that EVERY packets, whatever path they use
to arrive, finally pass through a single peer doing NAT, is this suppose
to work around my TOS problem ?
Eg, end services will only see packets coming from the last NAT address,
which is single whatever path packets used to arrive.
Something like:
LAN --> Multipath Firewall
| |
GW1 GW2
| |
-------------------
|
Gateway
(NAT)
|
--------- Remote Network
What about the rp_filter kernel value ? Could it be a problem in such
setup ?
Thanks again.
Vincent.
> > A big thanks to both of you. I've learned a lot today :)
> >
> > Thanks again.
> > Regards,
> > Vincent.
>
> Regards
>
> --
> Julian Anastasov <[EMAIL PROTECTED]>
>
> _______________________________________________
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
--
Vincent Jaussaud
Kelkoo.com Security Manager
email: [EMAIL PROTECTED]
"The UNIX philosophy is to design small tools that do one thing, and do
it well."
_______________________________________________
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
