|
>It's also mentioned in the HOWTO
>
>http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO-18.html#ss18.
13
>
>where ICMP handling for VS-NAT is discussed.
>
>We still don't know what the problem is. Since it's seen in non-LVS
situations,
>it probably isn't an LVS problem.
>
>Joe
That's an excellent reference, everyone should read it. However, I wanted
to delve into it a bit more and came away with some interesting ipchains
settings... do any of the below settings interfere with LVS on director or
real server? Also, do people advise putting these settings in sysctl or in
ipchains? These are production boxes, so I'm not worried about some ninny
user messing things up and running a different rc.firewall.
cheers
Peter
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable always defraging protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enabel IP spoofing protection
# Turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
|
