|
OK, I guess I was just being lazy :-).
which never gives good results.
Peter Mueller wrote:
Assuming that you have an LVS loadbalancer running on a linux box
and this box is behing a firewall so that only ports 80 & 443 are
allowed from clients.
Do you really need to harden the loadbalancer firewall rules ?
Yes, always.
i.e. should I enable things like SYN cookie protection etc ?
It's a good idea to not rely on one firewall box anywhere in your setup. If
you've got a PIX or Checkpoint or whatever firewall box what harm can it do
to take 10 minutes now and setup iptables/ipchains packet filter rules,
basic accept/deny statements like Joe suggests?
Syncookies is a whole different ballgame. Syncookies as I'm sure you know
prevent SYN-flooding. Does your firewall safeguard against syn-flooding so
strongly that you feel syncookies is a bad idea?
Hope that helps
Peter
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users
--
Regards,
Malcolm Turnbull
IT Manager
Crocus.co.uk Limited
Nursery Court
London Road
Windlesham
Surrey
GU20 6LQ
01344 629661
07715 770523
http://www.crocus.co.uk/
"They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety." - Benjamin Franklin
| 