|
Roberto Nibali wrote:
> Well, this highly depends on the deployed architecture:
> LVS_DR or LVS_NAT.
yes, the implemenation will change a little bit, but the approach
will be the same.
> You mean you setup a filter on the realservers too?
with VS-DR they're connected to the outside world via
the router. Shouldn't I make it as difficult as possible
for someone who gains access to the LVS or doing a DoS
to send packets from one machine to another in the LVS?
> the general approach should be:
>
> 1. policy DENY for all chains
> 2. enable service on chains for incoming and outgoing (consider
> the fact, that for example realservers never start with a SYN.
OK
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
