LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Security RFE

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: Security RFE
From: Padraig Brady <padraig@xxxxxxxxxxxxx>
Date: Thu, 20 Dec 2001 18:06:51 +0000
Brett Johnson wrote:

Connection tracking doesn't work in iptables if LVS is getting the packets.
 Tried many times, many ways.


We've patches (small to ipvs, tiny to netfilter) to get netfilter connection

tracking working with ipvs. Will cleanup and send soon.

Padraig.


Right now I secure the VIP by blocking low ports and "around" others, but
this still leaves high ports exposed and isn't a very good security model.
High ports can't be blocked if there is going to be FTP on there anyway.

From what I understand, there is already connection tracking inside the LVS
module.  I'm wondering instead of letting the module pass the packet along,
have an option to let it drop the packet if it doesn't have a match.  This
would be far easier and not have extra any part of the OS "exposed" to the
open network.  This would also eliminate any iptables rules for that VIP
greatly simplifing setup and security. :)

Thx / B++ / K90, Inc.

*********** REPLY SEPARATOR ***********

On 12/20/01, at 10:14 PM, Wensong Zhang wrote:

Hello,

On Wed, 19 Dec 2001, Brett Johnson wrote:


It doesn't look like this ML got my response I did a few days ago...so

here

is a portion of it about firewalling LVS.
This would be a really good security option to add that would hopefully

be

easy:

How hard would it be to tell LVS to just drop everything it doesn't have

an

entry for in the ipvs table???

An example would be:  I alias an IP address for the intent of LVS usage.
Perhaps make it an option (that I can turn off or on) to say that

anything

that doesn't show up in the "ipvsadm -Ln" table gets dropped for that
aliased IP only.  From a security stand point this would be really great

as

rules can be easily written for the real IP that wont get any LVS

entries

anyway.


Why not use iptables/ipchains for this? Let things in "ipvsadm -Ln" pass
and drop the rest things on this aliased IP.

Regards,

Wensong




<Prev in Thread] Current Thread [Next in Thread>