Re: Security RFE

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: Security RFE
From: "Brett Johnson" <mlipvs@xxxxxxx>
Date: Thu, 20 Dec 2001 11:56:42 -0600
Connection tracking doesn't work in iptables if LVS is getting the packets.
 Tried many times, many ways.

Right now I secure the VIP by blocking low ports and "around" others, but
this still leaves high ports exposed and isn't a very good security model.
High ports can't be blocked if there is going to be FTP on there anyway.

From what I understand, there is already connection tracking inside the LVS
module.  I'm wondering instead of letting the module pass the packet along,
have an option to let it drop the packet if it doesn't have a match.  This
would be far easier and not have extra any part of the OS "exposed" to the
open network.  This would also eliminate any iptables rules for that VIP
greatly simplifing setup and security. :)

Thx / B++ / K90, Inc.

*********** REPLY SEPARATOR ***********

On 12/20/01, at 10:14 PM, Wensong Zhang wrote: 

>On Wed, 19 Dec 2001, Brett Johnson wrote:
>> It doesn't look like this ML got my response I did a few days
>> is a portion of it about firewalling LVS.
>> This would be a really good security option to add that would hopefully
>> easy:
>> How hard would it be to tell LVS to just drop everything it doesn't have
>> entry for in the ipvs table???
>> An example would be:  I alias an IP address for the intent of LVS usage.
>> Perhaps make it an option (that I can turn off or on) to say that
>> that doesn't show up in the "ipvsadm -Ln" table gets dropped for that
>> aliased IP only.  From a security stand point this would be really great
>> rules can be easily written for the real IP that wont get any LVS
>> anyway.
>Why not use iptables/ipchains for this? Let things in "ipvsadm -Ln" pass
>and drop the rest things on this aliased IP.

<Prev in Thread] Current Thread [Next in Thread>