|
Matt Walkowiak wrote:
> OH.... here might be a good way to do it... Can I put a rule in the OUTPUT
> chain?
oh yes, and on the input chain on the realservers
(accept packets to VIP:80 from 0/0 but deny with src_addr=director...)
(you can wind up spending a lot of time on this...;-)
and the output chain of
the realservers (eg packets from VIP:80 to 0/0 can only go to default gw,
packets from VIP:80 to local addresses are denied)
> This rule would only allow port 80 from the LD to the RealServers -
you mean from the MAC address of the DIP?
and make sure that's VIP:80
> when the RealServers respond, they would be using the FORWARD chain, right?
er,
the realservers aren't forwarding. It's just on the OUTPUT.
> That would prevent my Firewall/LD box from responding to anyone talking to
> it on port 80
there should be no default route on the director from the VIP, see
http://www.linux-vs.org/Joseph.Mack/HOWTO/LVS-HOWTO.LVS-DR.html#Pearthree
> - so even if LVS gets subverted, im still protected. Does
> that logic hold?
well yes. but all packets to on the INPUT chain of the director to VIP:80
are going to be forwarded anyhow (unless ipvs fails). What sort of thing
are you trying to guard against on the director?
Joe
--
Joseph Mack PhD, Senior Systems Engineer, SAIC contractor
to the National Environmental Supercomputer Center,
ph# 919-541-0007, RTP, NC, USA. mailto:mack.joseph@xxxxxxx
|
