Feature #4024
closed
Add a reject rule to prevent traffic from "falling through" relayd and reaching the GUI accidentally
0%
Description
Currently if relayd is in use and all pool servers are down, the connection does not get any NAT applied and will end up directing the user to the firewall instead. If relayd is using an interface IP, CARP VIP, or IP Alias VIP then in the HTTP or HTTPS case it can cause clients to be redirected to the GUI and potentially receive a certificate error and may lead to problematic client behavior.
If a reject rule is placed to match connections going to the external virtual server IP (before NAT) on the port being relayed, then the connection will be rejected if the pools are all down and no NAT rules are present from relayd. It would be helpful to have such a reject rule be added automatically to prevent the unintended behavior from ever occurring.
Such an automatic rule should be optional in case someone is relying on the current behavior.
Updated by Jim Pingle over 4 years ago
- Status changed from New to Closed
The relayd Load Balancer has been deprecated and removed from 2.5.0