Hello,
On Wed, 19 Dec 2001, Brett Johnson wrote:
> It doesn't look like this ML got my response I did a few days ago...so here
> is a portion of it about firewalling LVS.
> This would be a really good security option to add that would hopefully be
> easy:
>
> How hard would it be to tell LVS to just drop everything it doesn't have an
> entry for in the ipvs table???
>
> An example would be: I alias an IP address for the intent of LVS usage.
> Perhaps make it an option (that I can turn off or on) to say that anything
> that doesn't show up in the "ipvsadm -Ln" table gets dropped for that
> aliased IP only. From a security stand point this would be really great as
> rules can be easily written for the real IP that wont get any LVS entries
> anyway.
>
Why not use iptables/ipchains for this? Let things in "ipvsadm -Ln" pass
and drop the rest things on this aliased IP.
Regards,
Wensong
> Implementation wise, I think it could probably look something like
> iptables:
> ipvsadm -P <IPaddr> DROP
>
> ?
>
> Thx / B++ / K90, Inc.
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
|