|
Hi Joe,
> > I don't think LVS really has anything to do with whether
> > someone should use ftp for security reasons or not. Securing ftp is a
> > separate issue from LVS. IMHO, anyway...
>
> well yes, true.
I second that.
> I just thought it might be good to put a warning in the section
> about ftp in the HOWTO that having ftp will (unneccessarily?) expose your
> LVS (and other machines on your network) to security problems.
Hmm, as long as people use your script to set the box up, it doesn't matter,
what exactly they run on the realservers because the external interface'
default policy for incoming traffic is accept for all protocols and all
ports :) I rather phrase it the way that "People trying to secure the LVS
using the LVS as a packetfilter, will have no big success in doing it
for the ftp protocol because it is so open."
ftp is to care in every environment, doesn't matter if LVS or not, you
should just be aware of that fact.
Best regards,
Roberto Nibali, ratz
BTW: A little upgrade for you configure.pl script (we can talk about
it in a private mail exchange):
o setting up the MASQuerading rules for the forward chain should be
combined with the outgoing interface. So add a -j $EXT_IF to you
script.
o generally you're right to open the input and output chain for the
external interface because if you wouldn't you mailbox would fill
up with message from people telling you that it doesn't work anymore.
But you could consider at least to set the input policy to DENY and
then for God's sake do a ipchains -A input -j ACCEPT -i $INT_IF and
the appropriate rules for the input chain of the EXT_IF.
--
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`
|
