It's by design. The individual servers have two ip addresses on the same network (and physical nic) and I don't actually know how 'the originating ip address' would be determined then for a generic system call. However it does make sense for you conceptually to explicitely enable both servers by their own ip address rather than just the floating ip address. I would allow all three.
From: Neil Watson [mailto:redhat watson-wilson ca]
Sent: Tue Nov 21 07:53:24 2006
To: linux clustering
Subject: [Linux-cluster] floating IP and firewall access
I have a two node cluster addressed 172.16.1.203 and 172.16.1.204. They
are configured in active/passive mode. The active node has the shared
IP 172.16.1.205. The active node needs to access a server residing in
a protected subnet. The firewall there has granted access from the
shared IP 172.16.1.205. When the active node attempts to access the
protected server it does so with its address of 172.16.1.203 and not the
shared address of 172.16.1.205. Is this by design?
Neil Watson | Debian Linux
System Administrator | Uptime 16 days
Linux-cluster mailing list
Linux-cluster redhat com