Re: Security RFE

To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Security RFE
From: Wensong Zhang <wensong@xxxxxxxxxxxx>
Date: Thu, 20 Dec 2001 22:14:26 +0800 (CST)

On Wed, 19 Dec 2001, Brett Johnson wrote:

> It doesn't look like this ML got my response I did a few days here
> is a portion of it about firewalling LVS.
> This would be a really good security option to add that would hopefully be
> easy:
> How hard would it be to tell LVS to just drop everything it doesn't have an
> entry for in the ipvs table???
> An example would be:  I alias an IP address for the intent of LVS usage.
> Perhaps make it an option (that I can turn off or on) to say that anything
> that doesn't show up in the "ipvsadm -Ln" table gets dropped for that
> aliased IP only.  From a security stand point this would be really great as
> rules can be easily written for the real IP that wont get any LVS entries
> anyway.

Why not use iptables/ipchains for this? Let things in "ipvsadm -Ln" pass
and drop the rest things on this aliased IP.



> Implementation wise, I think it could probably look something like
> iptables:
> ipvsadm -P <IPaddr> DROP
> ?
> Thx / B++ / K90, Inc.
> _______________________________________________
> mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to

<Prev in Thread] Current Thread [Next in Thread>