|
Peter Mueller wrote:
Assuming that you have an LVS loadbalancer running on a linux box
and this box is behing a firewall so that only ports 80 & 443 are
allowed from clients.
Do you really need to harden the loadbalancer firewall rules ?
Yes, always.
Especially if the packet filter in front and the LVS are running the
same OS :)
It's a good idea to not rely on one firewall box anywhere in your setup. If
you've got a PIX or Checkpoint or whatever firewall box what harm can it do
to take 10 minutes now and setup iptables/ipchains packet filter rules,
basic accept/deny statements like Joe suggests?
DROP ALL, accept TCP 80/443 only.
Syncookies is a whole different ballgame. Syncookies as I'm sure you know
prevent SYN-flooding. Does your firewall safeguard against syn-flooding so
strongly that you feel syncookies is a bad idea?
Nothing can prevent SYN flooding, you can only live better with it when
you have SYN cookies enabled. With a wrongly set backlog queue size you
still face big penalty with SYN/RST attacks. Please read [1].
[1] http://cr.yp.to/syncookies.html
Best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
| 