Project

General

Profile

Feature #4024

Add a reject rule to prevent traffic from "falling through" relayd and reaching the GUI accidentally

Added by Jim Pingle about 3 years ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
Load Balancer
Target version:
Start date:
11/18/2014
Due date:
% Done:

0%


Description

Currently if relayd is in use and all pool servers are down, the connection does not get any NAT applied and will end up directing the user to the firewall instead. If relayd is using an interface IP, CARP VIP, or IP Alias VIP then in the HTTP or HTTPS case it can cause clients to be redirected to the GUI and potentially receive a certificate error and may lead to problematic client behavior.

If a reject rule is placed to match connections going to the external virtual server IP (before NAT) on the port being relayed, then the connection will be rejected if the pools are all down and no NAT rules are present from relayd. It would be helpful to have such a reject rule be added automatically to prevent the unintended behavior from ever occurring.

Such an automatic rule should be optional in case someone is relying on the current behavior.

Also available in: Atom PDF