Hello,
On Thu, 13 Dec 2001, Brett Johnson wrote:
> I have observed that when I add the mentioned rule with ipvsadm that the
> UDP DNS 53->53 traffic going out stops. If I remove that rule in the
I know, nslookup uses UDP but for normal lookups...
> script I pasted in the first email, all UDP traffic works just fine. Just
> to clarify, the zone transfer process is using both UDP and TCP to do the
> transfer. Typically when I manually do name lookups, they are UDP
>
> It looks like I should try the 0.9.8 patch you mentioned and turn off the
> unknown UDP block. I've noticed that 0.9.8 is in the development side.
> How stable is it for light production use?
It works in my tests, I still don't use it in production,
so I can't comment for longer test period. May be other users have
more experience.
> Right now I set up my iptables rules by getting the connection to work
> first then trying the blocks. Needless to say that this is rather tedious.
> I really don't like having the OS exposed to open Internet (many others
> are with me on that)...so this leads to another question (perhaps a feature
> request?):
>
> How hard would it be to tell LVS to just drop everything it doesn't have an
> entry for in the ipvs table???
> An example would be: I alias an IP address for the intent of LVS usage.
> Perhaps make it an option I can turn on to say that anything that doesn't
> show up in the "ipvsadm -Ln" table gets dropped for that aliased IP only.
> >From a security stand point this would be really great as rules can be
> easily written for the real IP that wont get any LVS entries anyway.
May be you can block all ports below 1024, to allow
for example 80, 21 or 20 if you are using them as service and to
leave the ports after 1024 for LVS control (for ftp data for example).
> Thx/B++
Regards
--
Julian Anastasov <ja@xxxxxx>
|