Brian J. Murrell wrote:
>
> So I am convinced that the problem is the flip-flopping of the active
> default route to achieve load balancing. And I consider this a bug in
> the rp_filter functionality.
Alternatively, I've long suspected that rp_filter doesn't take the packet mark
into consideration.
One experiment you can run for me: When you are seeing this:
> # ip route get 74.111.215.93
> 74.111.215.93 via 192.168.200.1 dev ppp0 src 66.11.173.224
> cache mtu 1452 advmss 1412 metric 10 64
What does "ip route get 74.111.215.93 from 72.38.184.236" give you?
>
> As for the 66.11.173.224 (i.e. the address of the ppp0 interface)
> appearing in the martian log entry source addresses, I'm beginning to
> think that that is just the error message printing that for whatever
> reason.
>From your 'shorewall dump':
Chain eth1_masq (1 references)
pkts bytes target prot opt in out source
destination
...
3 456 SNAT all -- * * 66.11.173.224 0.0.0.0/0
policy match dir out pol none to:72.38.184.236
So the SNAT rule has been exercised at some point. If any of those connections
was your freenet6 application, it would explain how the ppp0 address got into
the Martian messages.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
