Re: Security RFE

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: Security RFE
From: Padraig Brady <padraig@xxxxxxxxxxxxx>
Date: Thu, 20 Dec 2001 18:06:51 +0000
Brett Johnson wrote:

Connection tracking doesn't work in iptables if LVS is getting the packets.
 Tried many times, many ways.

We've patches (small to ipvs, tiny to netfilter) to get netfilter connection

tracking working with ipvs. Will cleanup and send soon.


Right now I secure the VIP by blocking low ports and "around" others, but
this still leaves high ports exposed and isn't a very good security model.
High ports can't be blocked if there is going to be FTP on there anyway.

From what I understand, there is already connection tracking inside the LVS
module.  I'm wondering instead of letting the module pass the packet along,
have an option to let it drop the packet if it doesn't have a match.  This
would be far easier and not have extra any part of the OS "exposed" to the
open network.  This would also eliminate any iptables rules for that VIP
greatly simplifing setup and security. :)

Thx / B++ / K90, Inc.

*********** REPLY SEPARATOR ***********

On 12/20/01, at 10:14 PM, Wensong Zhang wrote:


On Wed, 19 Dec 2001, Brett Johnson wrote:

It doesn't look like this ML got my response I did a few days


is a portion of it about firewalling LVS.
This would be a really good security option to add that would hopefully



How hard would it be to tell LVS to just drop everything it doesn't have


entry for in the ipvs table???

An example would be:  I alias an IP address for the intent of LVS usage.
Perhaps make it an option (that I can turn off or on) to say that


that doesn't show up in the "ipvsadm -Ln" table gets dropped for that
aliased IP only.  From a security stand point this would be really great


rules can be easily written for the real IP that wont get any LVS



Why not use iptables/ipchains for this? Let things in "ipvsadm -Ln" pass
and drop the rest things on this aliased IP.



<Prev in Thread] Current Thread [Next in Thread>