Re: iptables and lvs

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	Re: iptables and lvs_nat
From:	Martijn Klingens <mklingens@xxxxxx>
Date:	Wed, 2 Oct 2002 17:30:02 +0200

On Wednesday 02 October 2002 17:19, Tim Cronin wrote:
> yup, I did that and it works, but is that safe?

It accepts all HTTP follow-ups without SYN, which potentially includes 
malformed and malicious packets.

You can probably filter out a few of those with '-m state --state INVALID -j 
DROP', but not all of it.

Either way, it's the best you can get in this setup, and it's still (slightly) 
better than good old ipchains, which already was quite reasonable.

And since there's a whole cluster behind your LVS box I take it that you also 
have a frontend dedicated firewall BEFORE the LVS machine that is able to do 
the full stateful inspection? :-)

-- 
Martijn

<Prev in Thread]	Current Thread	[Next in Thread>
Re: iptables and lvs_nat, (continued) Re: iptables and lvs_nat, Martijn Klingens Re: iptables and lvs_nat, Roberto Nibali Re: iptables and lvs_nat, Martijn Klingens Re: iptables and lvs_nat, Roberto Nibali Re: iptables and lvs_nat, Mike McLean RE: iptables and lvs_nat, Tim Cronin Re: iptables and lvs_nat, Martijn Klingens Re: iptables and lvs_nat, Alex Kramarov Re: iptables and lvs_nat, Martijn Klingens RE: iptables and lvs_nat, Tim Cronin Re: iptables and lvs_nat, Martijn Klingens <= RE: iptables and lvs_nat, Tim Cronin Re: iptables and lvs_nat, Martijn Klingens RE: iptables and lvs_nat, Tim Cronin RE: iptables and lvs_nat, Tim Cronin Re: iptables and lvs_nat, Martijn Klingens

Previous by Date:	RE: iptables and lvs_nat, Tim Cronin
Next by Date:	Re: No buffer space available, Julian Anastasov
Previous by Thread:	RE: iptables and lvs_nat, Tim Cronin
Next by Thread:	RE: iptables and lvs_nat, Tim Cronin
Indexes:	[Date] [Thread] [Top] [All Lists]

Re: iptables and lvs_nat