Matt Walkowiak wrote:
>
> The only thing I am worried about with a full-scale LVS-Nat solution with
> IPTables (or any other firewall solution for that matter), you need to have
> port 80 (or whatever port you want to load balance) go straight thru your
> INPUT chain, then LVS picks the packet up and does the forwarding. That
> means people on the Internet are talking directly to my "firewall" on port
> 80.
can you put a rule in the INPUT chain?
LVS is just a router with slightly non-standard routing rules.
If for some reason LVS doesn't grab the packet for some reason, there
> is really nothing to stop a specially designed packet from taking over my
> firewall, if the hole exists.
There are cases where LVS and netfilter rules are incompatible and you
can't make a firewall from your director. If your rules are working
(you can see this by simple checking), then you're OK. This stuff
is buried in the HOWTO and I'm reorganising it for the next round.
If you're really skittish, then put the director behind the firewall.
> Is LVS robust enough not
> to be tricked by an evil deformed packet that could get past LVS and talk
> directly to my firewall, rather than being forwarded?
well we don't think so, but then neither does M$.
If there is a problem you'll get it fixed faster here than you will with M$.
Joe
--
Joseph Mack PhD, Senior Systems Engineer, SAIC contractor
to the National Environmental Supercomputer Center,
ph# 919-541-0007, RTP, NC, USA. mailto:mack.joseph@xxxxxxx
|