iptables and lvs_nat

[Tim Cronin]

>You can probably filter out a few of those with '-m state --state INVALID
-j 
>DROP', but not all of it.

I'll add this.

>And since there's a whole cluster behind your LVS box I take it that you
also 
>have a frontend dedicated firewall BEFORE the LVS machine that is able to
do 
>the full stateful inspection? :-)

due to the economic down turn, and limited space at the co lo,
the director and firewall will be living on the same box. I don't
get to make these decisions, I just get to implement...




-----Original Message-----
From: Martijn Klingens [mailto:mklingens at ism.nl]
Sent: Wednesday, October 02, 2002 10:30 AM
To: lvs-users at LinuxVirtualServer.org
Subject: Re: iptables and lvs_nat


On Wednesday 02 October 2002 17:19, Tim Cronin wrote:
> yup, I did that and it works, but is that safe?

It accepts all HTTP follow-ups without SYN, which potentially includes 
malformed and malicious packets.

You can probably filter out a few of those with '-m state --state INVALID -j

DROP', but not all of it.

Either way, it's the best you can get in this setup, and it's still
(slightly) 
better than good old ipchains, which already was quite reasonable.

And since there's a whole cluster behind your LVS box I take it that you
also 
have a frontend dedicated firewall BEFORE the LVS machine that is able to do

the full stateful inspection? :-)

-- 
Martijn


_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
Send requests to lvs-users-request at LinuxVirtualServer.org
or go to http://www.in-addr.de/mailman/listinfo/lvs-users