On Sat, 3 Feb 2001, Julian Anastasov wrote:
> I prefer my services to listen on 0.0.0.0 if
> possible.
I assume there are some environments where people won't be happy about
exposing ports. Ratz deals with security more than I do, so he'll be able
say if this is important or not. At my work, the govt holds industry
information that is confidential that these industries don't want their
competitors to have (industry doesn't like giving info to the govt in the
first place). Our machines are routinely port scanned to make sure we
haven't added new services and are routinely attacked by some govt dept to
look for holes. I would assume people like this would not want ports
showing even on private IPs (once you break into the director, the
real-server's IPs aren't private anymore).
After reading about tcpserver, I decided that I should at least make it
possible for people who want to minimise port exposure, to be able to
do so.
> Yes, may be games with raw sockets can work but this is a
> routing problem too. I don't see a way to run such checks in the
> director. You already know that I prefer the solution with agents
> reporting information.
My configure script is now running everything from the director.
The rc.lvs files get copied by scp to the real-servers and the
setup on the real-servers (including port scanning the VIP)
is run by ssh from the director.
It would be easy enough to run the mon alerts on the real-servers
(instead of the director as they are now) and have them report to the
director by ssh about the status of services on the realserver's VIP.
Joe
--
Joseph Mack mack@xxxxxxxxxxx
|