|
>You can probably filter out a few of those with '-m state --state INVALID
-j
>DROP', but not all of it.
I'll add this.
>And since there's a whole cluster behind your LVS box I take it that you
also
>have a frontend dedicated firewall BEFORE the LVS machine that is able to
do
>the full stateful inspection? :-)
due to the economic down turn, and limited space at the co lo,
the director and firewall will be living on the same box. I don't
get to make these decisions, I just get to implement...
-----Original Message-----
From: Martijn Klingens [mailto:mklingens@xxxxxx]
Sent: Wednesday, October 02, 2002 10:30 AM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: iptables and lvs_nat
On Wednesday 02 October 2002 17:19, Tim Cronin wrote:
> yup, I did that and it works, but is that safe?
It accepts all HTTP follow-ups without SYN, which potentially includes
malformed and malicious packets.
You can probably filter out a few of those with '-m state --state INVALID -j
DROP', but not all of it.
Either way, it's the best you can get in this setup, and it's still
(slightly)
better than good old ipchains, which already was quite reasonable.
And since there's a whole cluster behind your LVS box I take it that you
also
have a frontend dedicated firewall BEFORE the LVS machine that is able to do
the full stateful inspection? :-)
--
Martijn
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users
|
