LVS and host based firewall

Mike Radomski Mike.Radomski at itec.mail.suny.edu
Thu May 9 16:30:07 BST 2002


Hello,
I have a LVS cluster that performs Direct Routing for Windows and Linux 
real servers.  Everything is working quite well for load balancing a 
Domino cluster.  We are now implementing a Linux Domino Cluster and would 
like to put a host based firewall on each real server.  The real servers 
are running SuSE linux.  I have been trying to use SuSEfirewall for 
simplicity, though usually use ipchains.  When I turn on the firewall, the 
real servers are still listed in ipvsadm, but do not receive connections. 
I can get directly to the real servers via their IP.

Here are my SuSEfirewall rules:

FW_DEV_WORLD="eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_AUTOPROTECT_GLOBAL_SERVICES="no"
FW_PROTECT_FROM_INTERNAL="no"

FW_SERVICES_INTERNAL_TCP="1:65535"
FW_SERVICES_INTERNAL_UDP="1:65535"

FW_SERVICES_EXTERNAL_TCP="www https ssh lotusnote"
FW_SERVICES_EXTERNAL_UDP="www https ssh lotusnote"

FW_TRUSTED_NETS="xxx.xxx.xxx.xxx/24"
FW_SERVICES_TRUSTED_TCP="1:65535"
FW_SERVICES_TRUSTED_UDP="1:65535"

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_ALLOW_PING_FW="yes"

If anyone has any suggestions for SuSEfirewall or ipchains, it would be 
greatly appreciated.

Thank you,


Mike Radomski

SUNY - ITEC
Information Technology Exchange Center
Systems Programmer/Analyst 
E-mail: Mike.Radomski at itec.mail.suny.edu 
Systems E-Mail: scsys at itec.mail.suny.edu 
Phone: (716)878-4832
Cellular: (716)866-7039
Fax: (716)878-4235
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.graemef.net/pipermail/lvs-users/attachments/20020509/cda1dfba/attachment-0001.html 


More information about the lvs-users mailing list