|
Joseph Mack wrote:
Peter Mueller wrote:
I can't think of many situations where you would have different rules than
just a NAT type firewall box. Like Joe says trial and error is good here.
The problem is that now that LVS is a netfilter module,
it was not possible to write it in the netfilter format,
and so there are collisions between LVS rules and netfilter
rules.
The specs for LVS never included it being a firewall as well.
That was just too hard.
http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.filter_rules.html#firewall_on_director
However while any arbitary grouping of rules that would be OK
by netfilter, may not be OK in the presence of LVS, you should
be able to get most of what you want.
Joe
Thanks for the feedback!
Yep I guess going down to the nuts and bolts, the primary firewall is a
packet filter - although I do use stateful inspection in the chains to
do things like expedite packets belonging to connections already in
progress. I do a little bit of stuff in the NAT PREROUTING chains also,
such as dropping traffic coming from invalid/non-routable source
addresses, and dropping any traffic I have blacklisted - by having it in
NAT PREROUTING I don't have to have a rule in each chain which monitors
traffic coming in from the external interface. Also I'm currently
running a proxy-arp type setup but it doesn't have to be that way and
can already forsee that possibly having to go "bye-bye". ;)
Probably the logical thing to do, as both of you have said, would be to
just try things out and test how it goes. I can set it up as a
director/firewall on the INTERNAL subnet to test with, and if I can get
it to function as an internal gateway/director to the servers, it should
just be a matter of changing addresses in the config files and scripts
to move it out to the front lines.
vinnie
|
