Re: [Openvds-devel] iptables

[jimmy]

Hi,



am [Tue, 11 Dec 2001 12:45:16 -0000] schrieb "Tim Sellar" <address@hidden> :

> Just an update that the issue with iptables is not being ignored. However,
> we have been concentrating on removing the need for iptables by getting
> Apache to run securely on port 80.... Details as soon as the testing is
> completed..

hmm, if this would cause loosing the possibility to install new, generic
apaches than I would really, really prefer the iptables version.

Everyone should become familiar with iptables a little bit, because of
security and traffic measurement issues. Bringing iptables away wouldn't
help noone on the long run.

regards

jimmy


> 
> Tim
> 
> > -----Original Message-----
> > From: address@hidden
> > [mailto:address@hidden Behalf Of Simon Garner
> > Sent: 10 December 2001 02:22
> > To: Chris Fulton
> > Cc: freevsd-support
> > Subject: Re: [Openvds-devel] iptables
> >
> >
> > Hi Chris,
> >
> > >
> > > From my understanding, and experience with this same problem 'connecting
> > > to self' I have observed that connections made from the VS start sockets
> > > on eth0 when one would hope it would use eth0:2. In other words, use the
> > > virtual interface instead of the real one.
> > >
> >
> > Ah, okay, just tested this... If I lynx to port 8080 on the VS
> > from the host
> > server, in the logs this request appears with the VS's IP instead of the
> > host server's. So it appears that traffic to alias interfaces on the local
> > machine always appears to originate from that same alias interface...
> >
> > That's a slightly different issue to what you're talking about. But it
> > doesn't really explain why the iptables rules don't work, since
> > those rules
> > are not placing any restriction on the source address. Presumably
> > it instead
> > means the rule is not getting executed at all.
> >
> >
> > > Another related issue:
> > > If you send youself some email from your VS account to an account on a
> > > different server and look at the headers you will see that your host
> > > server will be exposed due to the fact that the smtp server you connect
> > > to will do a reverse lookup on your ip and discover the host server, not
> > > the vs, since the packets originate from there.
> > >
> >
> > Yep, not sure that could be fixed without hacking the Linux IP stack.
> >
> >
> > > I think this is probably the biggest problem with running an effective
> > > VS at the moment. Here is my understanding: If all VS' connections
> > > originate from '127.0.0.1' on the host server, do all my clients have
> > > access to VSD protocol? Yes. You have to allow it to be able to use
> > > vsdadm from the command line. I'm sure there plenty of other reasons to
> > > want VS' connections to originate from the VS' ip not the host's ip, and
> > > not allow access to 127.0.0.1 from the VS.
> >
> > As long as you use the SSL version of VSD this shouldn't be a
> > problem since
> > the VS users won't have access to your certificate. (They'll be able to
> > connect to the svsd service but won't be able to authenticate. Just like
> > they can probably connect to your ssh service but can't login.)
> >
> > Cheers,
> >
> > Simon
> >
> > ------------------------- The freeVSD Support List
> > --------------------------
> > Subscribe:   mailto:address@hidden
> > Unsubscribe:
> mailto:address@hidden
> Archives:    http://freevsd.org/support/mail-archives/freevsd-support
> ----------------------------------------------------------------------------
> -
> 
> ------------------------- The freeVSD Support List --------------------------
> Subscribe:   mailto:address@hidden
> Unsubscribe: mailto:address@hidden
> Archives:    http://freevsd.org/support/mail-archives/freevsd-support
> -----------------------------------------------------------------------------

James T. Koerting
 
KSD Germany
address@hidden
 
Murphy's Law: "Anything that can go wrong, will go wrong"
Parkinson's Law: "Work expands to exceed available time"
Koerting's Law: "Don't fight against these laws"