|
It doesn't look like this ML got my response I did a few days ago...so here
is a portion of it about firewalling LVS.
This would be a really good security option to add that would hopefully be
easy:
How hard would it be to tell LVS to just drop everything it doesn't have an
entry for in the ipvs table???
An example would be: I alias an IP address for the intent of LVS usage.
Perhaps make it an option (that I can turn off or on) to say that anything
that doesn't show up in the "ipvsadm -Ln" table gets dropped for that
aliased IP only. From a security stand point this would be really great as
rules can be easily written for the real IP that wont get any LVS entries
anyway.
Implementation wise, I think it could probably look something like
iptables:
ipvsadm -P <IPaddr> DROP
?
Thx / B++ / K90, Inc.
|
