my 32 net guests cannot contact outside 39 net machines on our same network.
they can contact other 39 net guests on the same host. conversely, the
external 39 net machine cannot contact any 32 net ip on the vserver host or
any guest..
the problem i had was when within a 32net guest if i ping a 39 net
external host, it goes out our 39 net card to the external host gets answered
and routed back into our host on 32net since the source ip header in the
packet is 32 net and the system ignores it. setting below to 0 cures that.
am i doing something extremely stupid by disabling this or is it secure enough
not to worry?
we are protected by tons of acls in various routers plus a very strict
iptables on the host.
i found below in sysctl.conf was set to 1. if i set it to 0 as shown
everything works properly..
# Enables source route verification. 0 disables
net.ipv4.conf.default.rp_filter = 0
-- Chuck "...and the hordes of M$*ft users descended upon me in their anger, and asked 'Why do you not get the viruses or the BlueScreensOfDeath or insecure system troubles and slowness or pay through the nose for an OS as *we* do?!!', and I answered...'I use Linux'. " The Book of John, chapter 1, page 1, and end of book _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserverReceived on Fri Sep 29 00:38:02 2006