|
Hello Joe,
> well no. On the director I'm only adding rules for the device
> carrying the VIP. I tell it to accept packets for each VIP:service
> and to REJECT all others. I haven't thought how to handle
> the OUTPUT chain yet, since it could be on the same device
> or it could be on another NIC. For the moment I'm leaving
> the real-server network unfiltered.
Well, this highly depends on the deployed architecture:
LVS_DR or LVS_NAT.
> When packets get to the real-servers, they are filtered with
> the same rules as for the director (it's the same piece
> of code being run again). Here I filter for the packets
> arriving on the real-server's network device and with dest=VIP.
You mean you setup a filter on the realservers too?
> Should I still have DENY on INPUT and OUTPUT?
I'm a little bit out of context, which setup are we talking about
LVS_DR or LVS_NAT? Anyways, the general approach should be:
1. policy DENY for all chains
2. enable service on chains for incoming and outgoing (consider
the fact, that for example realservers never start with a SYN.
Best regards,
Roberto Nibali, ratz
--
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`
|
