LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: vs/nat + ipcop

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: vs/nat + ipcop
From: Graeme Fowler <graeme@xxxxxxxxxxx>
Date: Wed, 04 May 2005 20:51:41 +0100
Hi

On Wed, 2005-05-04 at 14:34 -0500, Matthew Lenz wrote:
> Is there any technical advantage to separating the firewall
> and lb onto different pieces of hardware?

This is really a purely personal or procedural objective, in my view.
You may find that when you're talking about a firewall (being a packet
filter) what someone else means is a "firewall with additional VPN
server functionality" (like, say, a PIX or other comparable commercial
unit). Another viewpoint is that a "firewall" isn't a firewall unless it
can do stateful inspection, in which case other people would define that
as a reactive IDS. It's a minefield :)

In my view, a director - particularly in a NAT environment - acts as a
firewall anyway by definition, since only the available services you
configure are exposed to the external clients [0]/ You can then use
netfilter/iptables to protect the exposed services by (for example)
restricting connections to specific networks, or by limiting connection
rates. If you can do it with netfilter, you can run it on the director -
the netfilter rules pertinent to the INPUT chain in the filter table are
run before the packets get to the LVS module.

[0] Of course, it's good practice to restrict the non-LVS ports such as
the management SSH port; this can be done using service configuration,
tcpwrappers, iptables or a combination of all 3.

More complex rulesets may not work as expected (especially if you're
trying to hook the nat table) since the packets may be "lifted over"
parts of them when they're being processed by the LVS NAT code. At this
point the packets are usually beyond the normal "firewall" rules anyway,
so this may not be relevant.

I guess it comes down to personal and/or company preference coupled with
your absolute requirement - some commercial appliances offer far more
than simply firewall functionality, and if you make use of a lot of that
you may find you're restricted to their use - but there would be nothing
to stop you deploying some sort of "remote access" appliance alongside
your directors - or possibly even behind them.

YMMV, of course, but I'd say what you're proposing to achieve is
eminently possible :)

Graeme


<Prev in Thread] Current Thread [Next in Thread>