LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: LVS and host based firewall

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: LVS and host based firewall
From: "Mike Radomski" <Mike.Radomski@xxxxxxxxxxxxxxxxxx>
Date: Fri, 10 May 2002 04:59:06 -0400

Hello,
I was able to get it to work using the redirect approach to the arp problem.  Previously I was using the hidden interface approach.  If any one is interested, here is the SuSEfirewall rules that worked:

FW_DEV_WORLD="eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_AUTOPROTECT_GLOBAL_SERVICES="no"
FW_PROTECT_FROM_INTERNAL="no"

FW_SERVICES_INTERNAL_TCP="1:65535"
FW_SERVICES_INTERNAL_UDP="1:65535"

FW_SERVICES_EXTERNAL_TCP="www https ssh lotusnote"
FW_SERVICES_EXTERNAL_UDP="www https ssh lotusnote"

FW_TRUSTED_NETS="xxx.xxx.xxx.xxx/24"
FW_SERVICES_TRUSTED_TCP="1:65535"
FW_SERVICES_TRUSTED_UDP="1:65535"

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_ALLOW_PING_FW="yes"

FW_REDIRECT_TCP="0/0,yyy.yyy.yyy.yyy"         #where yyy.yyy.yyy.yyy is the VIP

Mike Radomski

SUNY - ITEC
Information Technology Exchange Center
Systems Programmer/Analyst
E-mail: Mike.Radomski@xxxxxxxxxxxxxxxxxx
Systems E-Mail: scsys@xxxxxxxxxxxxxxxxxx        
Phone: (716)878-4832
Cellular: (716)866-7039
Fax: (716)878-4235



Mike Radomski/itec/alis/suny

05/09/2002 11:30 AM

       
        To:        lvs-users@xxxxxxxxxxxxxxxxxxxxxx
        cc:        
        Subject:        LVS and host based firewall


Hello,
I have a LVS cluster that performs Direct Routing for Windows and Linux real servers.  Everything is working quite well for load balancing a Domino cluster.  We are now implementing a Linux Domino Cluster and would like to put a host based firewall on each real server.  The real servers are running SuSE linux.  I have been trying to use SuSEfirewall for simplicity, though usually use ipchains.  When I turn on the firewall, the real servers are still listed in ipvsadm, but do not receive connections.  I can get directly to the real servers via their IP.

Here are my SuSEfirewall rules:

FW_DEV_WORLD="eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_AUTOPROTECT_GLOBAL_SERVICES="no"
FW_PROTECT_FROM_INTERNAL="no"

FW_SERVICES_INTERNAL_TCP="1:65535"
FW_SERVICES_INTERNAL_UDP="1:65535"

FW_SERVICES_EXTERNAL_TCP="www https ssh lotusnote"
FW_SERVICES_EXTERNAL_UDP="www https ssh lotusnote"

FW_TRUSTED_NETS="xxx.xxx.xxx.xxx/24"
FW_SERVICES_TRUSTED_TCP="1:65535"
FW_SERVICES_TRUSTED_UDP="1:65535"

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_ALLOW_PING_FW="yes"

If anyone has any suggestions for SuSEfirewall or ipchains, it would be greatly appreciated.

Thank you,


Mike Radomski

SUNY - ITEC
Information Technology Exchange Center
Systems Programmer/Analyst
E-mail: Mike.Radomski@xxxxxxxxxxxxxxxxxx
Systems E-Mail: scsys@xxxxxxxxxxxxxxxxxx        
Phone: (716)878-4832
Cellular: (716)866-7039
Fax: (716)878-4235


<Prev in Thread] Current Thread [Next in Thread>