|
> i have read the docs, and i saw that all the security and dos
> protection
> features in LVS are aimed at protecting the director. the
Not necessarily. Can you be more specific where your area(s) of concern
are?
> setup assumes that
> the real servers can take care for themselvs, either by using
> syncookies or
> by some other means. is there a solution for real servers that do not
> implement syncookies ? On some of my servers i am stack with
> w2k. I know
It's generally a good idea to not rely on any single security point. In
this case it seems like LVS-NAT topology might be a good option in addition
to hardening your windows 2000 boxes. Google is once again your friend
here..
http://www.google.com/search?sourceid=navclient&q=SYN+%22windows+2000%22+DOS
> there is a syncookies firewall for kernel 2.2, but i am using 2.4 ...
because of netfilter 2.4 is much better than 2.2. are you asking what the
settings are for /proc (or sysctl.conf) to help guard against syn floods? a
few I use are ..
[root@stage-lb2 root]# uname -a
Linux stage-lb2.internal.smartbasket.com 2.4.19-rc1 #1 SMP Fri Jul 12
17:51:56 PDT 2002 i686 unknown
[root@stage-lb2 root]# cat /proc/sys/net/ipv4/tcp_syncookies
1
[root@stage-lb2 root]# cat /etc/sysctl.conf | grep syn
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_syncookies = 1
Hope that helps,
Peter
|
