Nice. This about does the trick on the realservers: iptables - A OUTPUT -p tcp --dport 113 -j REJECT
One last question, the above command reduces the wait to 3 seconds as opposed to 30 seconds. However it also increases the delay of rshing to the RIP from 0 to 3 seconds. Is there any way to further tune the command? Thanks. djm David Merhar (512) 835-3611 [email protected] On Dec 19, 2008, at 10:40 AM, Graeme Fowler wrote: > On Fri, 2008-12-19 at 10:20 -0600, David Merhar wrote: >> Alright, maybe some progress. >> >> the strace on in.rlogind (strace -pf <xinetd PID>) shows the >> hangup on >> connect(0, {sa_family=AF_INET sin_port=htons(113) sin_addr(DIP)}, >> 128) - typed, so probably not perfect. > > Make sure you REJECT rather than DROP ident lookups on the director, > or > even better configure the realservers to REJECT them in the OUTPUT > chain > on the outgoing interface. > > If they get DROPped, then the calling process will exhibit the exact > hangup you're seeing. This is very, very common in SMTP systems using > ident lookups with badly configured firewalls. > > Graeme > > > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - [email protected] > Send requests to [email protected] > or go to http://lists.graemef.net/mailman/listinfo/lvs-users _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
