James-
>>>So far, mixing realservers and plain workstations behind my
>>>firewall/director works. Is there any good reason to add an
>>>eth2 and put them on different subnets?
There are a few good reasons to want to put an LVS system on an isolated
subnet.
For example, if you are serving webpages from the LVS system. If the client
machines are on the same subnet then those machines will not be able to
access the served pages. The cause of this is pretty simple and involves
how packets are rewritten. This is fundamental to LVS and cannot be worked
around without serving a completely different page from a non-LVS server
solely for your internal client machines. This may apply also to other
LVS-ed services, but I cannot solidly confirm this.
Personally, I would highly suggest putting an LVS system on its own isolated
subnet. I am by far not an expert and am sure someone else here may be able
to add something to this discussion.
Best of luck...
-Nick
-----Original Message-----
From: James O'Kane [mailto:jo2y@xxxxxxxxxxxxxxxxx]
Sent: Tuesday, July 17, 2001 5:18 AM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: ipvsadm interaction with iptables
On Tue, 17 Jul 2001, Julian Anastasov wrote:
> You are using too restrictive rules, do you really need them?
>
> The LVS users that use Linux 2.2 are not powered with such firewall
> rules but you can build secure setup even with simple rules. In some
> cases even without firewall rules :)
I've had and seen friend's machines cracked too often to want to deal with
want to error on the side of too restrictive and then open things as
needed. This machine will be my main firewall as well. I have a very small
setup, and lvs is probably overkill and I could probably do everything I
need with just iptables, but I wanted to start using it from the start.
So far, mixing realservers and plain workstations behind my
firewall/director works. Is there any good reason to add an eth2 and put
them on different subnets? I have around 10 machines including the
firewall, realservers and desktops.
thanks
-james
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users
|