Minimum Security For LVS box ?
Roberto Nibali
ratz at drugphish.ch
Wed Oct 2 11:49:47 BST 2002
Peter Mueller wrote:
>>Assuming that you have an LVS loadbalancer running on a linux box
>>and this box is behing a firewall so that only ports 80 & 443 are
>>allowed from clients.
>>
>>Do you really need to harden the loadbalancer firewall rules ?
>
> Yes, always.
Especially if the packet filter in front and the LVS are running the
same OS :)
> It's a good idea to not rely on one firewall box anywhere in your setup. If
> you've got a PIX or Checkpoint or whatever firewall box what harm can it do
> to take 10 minutes now and setup iptables/ipchains packet filter rules,
> basic accept/deny statements like Joe suggests?
DROP ALL, accept TCP 80/443 only.
> Syncookies is a whole different ballgame. Syncookies as I'm sure you know
> prevent SYN-flooding. Does your firewall safeguard against syn-flooding so
> strongly that you feel syncookies is a bad idea?
Nothing can prevent SYN flooding, you can only live better with it when
you have SYN cookies enabled. With a wrongly set backlog queue size you
still face big penalty with SYN/RST attacks. Please read [1].
[1] http://cr.yp.to/syncookies.html
Best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
More information about the lvs-users
mailing list