On Sun, 2007-07-29 at 13:51 -0400, Gerry Reno wrote: > iptables: MASTER and BACKUP DIRECTORS: > Table: filter > Chain INPUT (policy ACCEPT) > num target prot opt source destination > 1 RH-Firewall-1-INPUT 0 -- 0.0.0.0/0 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT) > num target prot opt source destination > 1 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited > > Chain OUTPUT (policy ACCEPT) > num target prot opt source destination > 1 ACCEPT 0 -- 224.0.0.0/8 0.0.0.0/0 > 2 ACCEPT 0 -- 0.0.0.0/0 224.0.0.0/8 > > Chain RH-Firewall-1-INPUT (1 references) > num target prot opt source destination > 1 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 > 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 > 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 > 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 > 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 > 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 > 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 > 8 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 > 10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 > 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 > 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:1010:1023 > 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:904 > 14 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited > 15 ACCEPT 0 -- 224.0.0.0/8 0.0.0.0/0 > 16 ACCEPT 0 -- 0.0.0.0/0 224.0.0.0/8 > > > Again, when director firewalls are down everything works great; when > they are up we get split brain.
You need rules 15 & 16 *before* rule 14. The REJECT should be the last one in the set. Graeme _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
