On Mon, Jan 29, 2007 at 05:36:12PM +0100, Marian Hettwer wrote:
> Pierre-Yves Ritschard schrieb:
> >On Mon, 29 Jan 2007 17:20:50 +0100
> >Marian Hettwer <[EMAIL PROTECTED]> wrote:
> >
> >>Which would mean, I send a SYN to my load balancer, which forwards
> >>the SYN to one of my webservers, and the webserver would send a
> >>SYN-ACK back to me. But my machine, obviously can't do anything with
> >>a SYN-ACK from an IP address it didn't even asked...
> >>The client would assume to get a SYN-ACK from the load balancer
> >>(which he asked...)
> >>
> >>understood?
> >
> >no you don't get it.
> I believe I do get it. But I missed an important information about my
> load balancing setup. See below.
> >you setup your webservers with the load balancer as default gateway
> >then use rdr as I described in my previous mail. hence all the traffic
> >goes through the load-balancer and real client ips are preserved.
>
> Ah... there we go.
> I can't setup the webservers with their default gateway to my load
> balancer. The boxes are dedicated servers and I have no possibility to
> change the network settings.
> These are rented servers (dedicated boxes) at some cheap ISP and all
> they have is an official IP address.
> Changing the default gateway isn't possible...
> Sorry 'bout that.
I'm fairly sure that sufficient abuse of pf can get the webservers to
send all replies to traffic to port 80/443 to your loadbalancer.
Of course, that's pf, and your webservers are Linux. But I would be
surprised if something similar couldn't be arranged.
Joachim
