LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Security RFE

To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Security RFE
From: Wensong Zhang <wensong@xxxxxxxxxxxx>
Date: Thu, 20 Dec 2001 22:14:26 +0800 (CST)
Hello,

On Wed, 19 Dec 2001, Brett Johnson wrote:

> It doesn't look like this ML got my response I did a few days ago...so here
> is a portion of it about firewalling LVS.
> This would be a really good security option to add that would hopefully be
> easy:
>
> How hard would it be to tell LVS to just drop everything it doesn't have an
> entry for in the ipvs table???
>
> An example would be:  I alias an IP address for the intent of LVS usage.
> Perhaps make it an option (that I can turn off or on) to say that anything
> that doesn't show up in the "ipvsadm -Ln" table gets dropped for that
> aliased IP only.  From a security stand point this would be really great as
> rules can be easily written for the real IP that wont get any LVS entries
> anyway.
>

Why not use iptables/ipchains for this? Let things in "ipvsadm -Ln" pass
and drop the rest things on this aliased IP.

Regards,

Wensong

> Implementation wise, I think it could probably look something like
> iptables:
> ipvsadm -P <IPaddr> DROP
>
> ?
>
> Thx / B++ / K90, Inc.
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>



<Prev in Thread] Current Thread [Next in Thread>