> One reason for ILB machine to configure IP Filter may be to disallow all > incoming packets except for those that are for load balancing and ssh. I > dont know how common this case may be, but I am wondering if this > capabilty can be added in ILB itself, so that the user does not > require IP FIlter configuration for this purpose. We can invoke this > via an additional lbadm option called "dedicated" or something > > This wquld probably mean that at ip_input() we check to see if packet is > ssh protocol, if its not, we match the packets dest port and protocol to > those that show up in lb rules or else drop the packet. > > Comments?
Firstly, doing something like that is exactly what the pfhooks stuff us for...so no need to play in ip_input(). Secondly, we already have two ways to throw packets away, ipsec and ipfilter - do we really need a third? Bear in mind that if you get ipsec and ipfilter folks in a corner, there's general agreement that already two is one too many... I think it behooves us to understand what and how ilb and ipfilter interact and to work out how the two can leverage each other so that "extra customer requirements" can be met safely. Needless to say, if we don't do it in advance, users will likely go exploring... If you're worried about performance - well, that's often at odds with security. In the end, it is up to the end user to choose how much (or little) security they want vs. performance. They can always buy faster boxes from us :-) Darren
