Hi all Vuurmuur's firewaller's !
We are working on an high availability linux cluster using Keepalived
(http://www.keepalived.org/). Keepalived uses the VRRP protocol to share
a "virtual" IP address between all "real" servers. Next Keepalived can
use 3 methods (http://www.linuxvirtualserver.org/how.html) to route
packets from the virtual to the real ones :
- NAT
- Tunneling
- Direct Routing
For technicals (and practicals) reasons we have to use Direct
Routing. So architecture is exactly like on schema
http://www.linuxvirtualserver.org/VS-DRouting.html.
On LinuxDirector we want to use Vuurmuur to make some firewalling, but
we have some problems with defaults DROP rules "no SYN" or "INVALID",
because clients passe through LinuxDirector whereas LinuxDirector does
not know anything about the TCP session : problem Vuurmuur thinks it is
a problem of invalid session or session without SYN.
Have you ever hear about this problem ?
Have you got any solutions ?
By my side, I try to hack Vuurmuur, and I found another problems :
how can I write my own rules before Vuurmuur rules applies ? The
solution : in the first rules for INPUT, FORWARD and OUTPUT chains,
let's branch to user chains VRVM-PREINPUT, VRVM-PREFORWARD,
VRVM-PREOUTPUT ... and let's do here what you have to do (rate-limiter,
ACCEPT/DROP packets that Vuurmuur can not match, ...).
To well understand, let's have a look to iptables-save :
**************
...
:VRMR-PREFORWARD - [0:0]
:VRMR-PREINPUT - [0:0]
:VRMR-PREOUTPUT - [0:0]
-A INPUT -j VRMR-PREINPUT
-A INPUT -i lo -j ACCEPT
...
-A FORWARD -j VRMR-PREFORWARD
-A FORWARD -i eth0 -j ACC-eth0
-A FORWARD -i eth1 -j ACC-eth1
...
-A OUTPUT -j VRMR-PREOUTPUT
-A OUTPUT -o lo -j ACCEPT
...
**************
With this patch I resole my problem... and more other one.
What do you think about this ?
Many Thanks,
Alex.
--
Alexandre SIMON
Cellule Réseau StanNet/Lothaire
C.I.R.I.L. | Perm. réseau : +33 (0)3.83.68.24.24
Château du Montet | Tél. direct : +33 (0)3.83.68.24.32
Rue du Doyen Roubault | Fax : +33 (0)3.83.68.24.01
F - 54500 VANDOEUVRE | Email : [EMAIL PROTECTED]
--- vuurmuur-0.5.71.orig/vuurmuur/createrule.c 2006-04-30 12:57:42.000000000
+0200
+++ vuurmuur-0.5.71/vuurmuur/createrule.c 2006-07-27 10:54:41.000000000
+0200
@@ -2155,6 +2155,36 @@
/*
+ make specials CHAINS 'VRMR-PRE{INPUT,FORWARD,OUTPUT}'
+ Patch by(as) : [EMAIL PROTECTED]
+ Allow to make some specials stuff before
Vuurmuur stuff.
+ */
+ if(conf.bash_out == TRUE) fprintf(stdout, "\n# Making some
specials VRMR-PRE{INPUT,FORWARD,OUTPUT} CHAINS...\n");
+ if(debuglvl >= LOW) (void)vrprint.debug(__FUNC__, "Making
some specials VRMR-PRE{INPUT,FORWARD,OUTPUT} CHAINS...");
+
+ snprintf(cmd, sizeof(cmd), "%s -N VRMR-PREINPUT 2>/dev/null",
conf.iptables_location);
+ (void)pipe_command(debuglvl, &conf, cmd, PIPE_QUIET);
+
+ snprintf(cmd, sizeof(cmd), "-j VRMR-PREINPUT");
+ if(process_rule(debuglvl, ruleset, TB_FILTER, CH_INPUT, cmd, 0, 0) < 0)
+ retval = -1;
+
+ snprintf(cmd, sizeof(cmd), "%s -N VRMR-PREFORWARD 2>/dev/null",
conf.iptables_location);
+ (void)pipe_command(debuglvl, &conf, cmd, PIPE_QUIET);
+
+ snprintf(cmd, sizeof(cmd), "-j VRMR-PREFORWARD");
+ if(process_rule(debuglvl, ruleset, TB_FILTER, CH_FORWARD, cmd, 0, 0) <
0)
+ retval=-1;
+
+ snprintf(cmd, sizeof(cmd), "%s -N VRMR-PREOUTPUT 2>/dev/null",
conf.iptables_location);
+ (void)pipe_command(debuglvl, &conf, cmd, PIPE_QUIET);
+
+ snprintf(cmd, sizeof(cmd), "-j VRMR-PREOUTPUT");
+ if(process_rule(debuglvl, ruleset, TB_FILTER, CH_OUTPUT, cmd, 0, 0) < 0)
+ retval=-1;
+
+
+ /*
allow local loopback
*/
if(conf.bash_out == TRUE) fprintf(stdout, "\n# Allowing local
loopback...\n");
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Vuurmuur-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
