|
Brett Johnson wrote:
Connection tracking doesn't work in iptables if LVS is getting the packets.
Tried many times, many ways.
We've patches (small to ipvs, tiny to netfilter) to get netfilter connection
tracking working with ipvs. Will cleanup and send soon.
Padraig.
Right now I secure the VIP by blocking low ports and "around" others, but
this still leaves high ports exposed and isn't a very good security model.
High ports can't be blocked if there is going to be FTP on there anyway.
From what I understand, there is already connection tracking inside the LVS
module. I'm wondering instead of letting the module pass the packet along,
have an option to let it drop the packet if it doesn't have a match. This
would be far easier and not have extra any part of the OS "exposed" to the
open network. This would also eliminate any iptables rules for that VIP
greatly simplifing setup and security. :)
Thx / B++ / K90, Inc.
*********** REPLY SEPARATOR ***********
On 12/20/01, at 10:14 PM, Wensong Zhang wrote:
Hello,
On Wed, 19 Dec 2001, Brett Johnson wrote:
It doesn't look like this ML got my response I did a few days ago...so
here
is a portion of it about firewalling LVS.
This would be a really good security option to add that would hopefully
be
easy:
How hard would it be to tell LVS to just drop everything it doesn't have
an
entry for in the ipvs table???
An example would be: I alias an IP address for the intent of LVS usage.
Perhaps make it an option (that I can turn off or on) to say that
anything
that doesn't show up in the "ipvsadm -Ln" table gets dropped for that
aliased IP only. From a security stand point this would be really great
as
rules can be easily written for the real IP that wont get any LVS
entries
anyway.
Why not use iptables/ipchains for this? Let things in "ipvsadm -Ln" pass
and drop the rest things on this aliased IP.
Regards,
Wensong
|
