LVS and host based firewall

["Mike Radomski" <Mike.Radomski@xxxxxxxxxxxxxxxxxx>]

Hello,
I have a LVS cluster that performs Direct Routing for Windows and Linux real servers.  Everything is working quite well for load balancing a Domino cluster.  We are now implementing a Linux Domino Cluster and would like to put a host based firewall on each real server.  The real servers are running SuSE linux.  I have been trying to use SuSEfirewall for simplicity, though usually use ipchains.  When I turn on the firewall, the real servers are still listed in ipvsadm, but do not receive connections.  I can get directly to the real servers via their IP.

Here are my SuSEfirewall rules:

FW_DEV_WORLD="eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_AUTOPROTECT_GLOBAL_SERVICES="no"
FW_PROTECT_FROM_INTERNAL="no"

FW_SERVICES_INTERNAL_TCP="1:65535"
FW_SERVICES_INTERNAL_UDP="1:65535"

FW_SERVICES_EXTERNAL_TCP="www https ssh lotusnote"
FW_SERVICES_EXTERNAL_UDP="www https ssh lotusnote"

FW_TRUSTED_NETS="xxx.xxx.xxx.xxx/24"
FW_SERVICES_TRUSTED_TCP="1:65535"
FW_SERVICES_TRUSTED_UDP="1:65535"

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_ALLOW_PING_FW="yes"

If anyone has any suggestions for SuSEfirewall or ipchains, it would be greatly appreciated.

Thank you,


Mike Radomski

SUNY - ITEC
Information Technology Exchange Center
Systems Programmer/Analyst 
E-mail: Mike.Radomski@xxxxxxxxxxxxxxxxxx 
Systems E-Mail: scsys@xxxxxxxxxxxxxxxxxx         
Phone: (716)878-4832
Cellular: (716)866-7039
Fax: (716)878-4235