|
Connection tracking doesn't work in iptables if LVS is getting the packets.
Tried many times, many ways.
Right now I secure the VIP by blocking low ports and "around" others, but
this still leaves high ports exposed and isn't a very good security model.
High ports can't be blocked if there is going to be FTP on there anyway.
From what I understand, there is already connection tracking inside the LVS
module. I'm wondering instead of letting the module pass the packet along,
have an option to let it drop the packet if it doesn't have a match. This
would be far easier and not have extra any part of the OS "exposed" to the
open network. This would also eliminate any iptables rules for that VIP
greatly simplifing setup and security. :)
Thx / B++ / K90, Inc.
*********** REPLY SEPARATOR ***********
On 12/20/01, at 10:14 PM, Wensong Zhang wrote:
>Hello,
>
>On Wed, 19 Dec 2001, Brett Johnson wrote:
>
>> It doesn't look like this ML got my response I did a few days ago...so
here
>> is a portion of it about firewalling LVS.
>> This would be a really good security option to add that would hopefully
be
>> easy:
>>
>> How hard would it be to tell LVS to just drop everything it doesn't have
an
>> entry for in the ipvs table???
>>
>> An example would be: I alias an IP address for the intent of LVS usage.
>> Perhaps make it an option (that I can turn off or on) to say that
anything
>> that doesn't show up in the "ipvsadm -Ln" table gets dropped for that
>> aliased IP only. From a security stand point this would be really great
as
>> rules can be easily written for the real IP that wont get any LVS
entries
>> anyway.
>>
>
>Why not use iptables/ipchains for this? Let things in "ipvsadm -Ln" pass
>and drop the rest things on this aliased IP.
>
>Regards,
>
>Wensong
|
