[Victor Julien] wrotes the following on [29/07/2006 10:19]: > Alexandre SIMON wrote: >> Hi all Vuurmuur's firewaller's ! > > Hi Alexandre! > >> We are working on an high availability linux cluster using Keepalived >> (http://www.keepalived.org/). Keepalived uses the VRRP protocol to share >> a "virtual" IP address between all "real" servers. Next Keepalived can >> use 3 methods (http://www.linuxvirtualserver.org/how.html) to route >> packets from the virtual to the real ones : >> - NAT >> - Tunneling >> - Direct Routing >> >> For technicals (and practicals) reasons we have to use Direct Routing. >> So architecture is exactly like on schema >> http://www.linuxvirtualserver.org/VS-DRouting.html. >> On LinuxDirector we want to use Vuurmuur to make some firewalling, but >> we have some problems with defaults DROP rules "no SYN" or "INVALID", >> because clients passe through LinuxDirector whereas LinuxDirector does >> not know anything about the TCP session : problem Vuurmuur thinks it is >> a problem of invalid session or session without SYN. >> >> Have you ever hear about this problem ? >> Have you got any solutions ? > > Both no... Vuurmuur is build around connection tracking and enforces tcp > connections to be correct. This means that is has to see every part of > it. However, the PRE-VUURMUUR chain support is probably very helpful.
Yes we really think so. With this way, Vuurmuur can be used as "standard" firewall or "advanced" one with specials cases. >> By my side, I try to hack Vuurmuur, and I found another problems : how >> can I write my own rules before Vuurmuur rules applies ? The solution : >> in the first rules for INPUT, FORWARD and OUTPUT chains, let's branch to >> user chains VRVM-PREINPUT, VRVM-PREFORWARD, VRVM-PREOUTPUT ... and let's >> do here what you have to do (rate-limiter, ACCEPT/DROP packets that >> Vuurmuur can not match, ...). >> >> >> To well understand, let's have a look to iptables-save : >> >> ************** >> >> ... >> :VRMR-PREFORWARD - [0:0] >> :VRMR-PREINPUT - [0:0] >> :VRMR-PREOUTPUT - [0:0] >> -A INPUT -j VRMR-PREINPUT >> -A INPUT -i lo -j ACCEPT >> ... >> -A FORWARD -j VRMR-PREFORWARD >> -A FORWARD -i eth0 -j ACC-eth0 >> -A FORWARD -i eth1 -j ACC-eth1 >> ... >> -A OUTPUT -j VRMR-PREOUTPUT >> -A OUTPUT -o lo -j ACCEPT >> ... >> >> ************** >> >> >> With this patch I resole my problem... and more other one. >> >> What do you think about this ? > > I think the general approach of the PRE-VUURMUUR chains is a good idea. > It's good to allow expert users to be able to create rules before > vuurmuur kicks in. I have 3 remarks: > > 1. the patch seems incomplete. To have it working in daemon mode there > also have to be changes to ruleset.c, to ruleset_fill_file() to be > exact. Otherwise the chains are not created by vuurmuur. Your patch only > works for the vuurmuur bash output mode. You are certainly right (you seem to know the code ;-). In fact, I've hacked vuurmuur very quickly to see if my solution was good. The patch has to be completed to be correct for the rest of the code. > 2. I would like to use slightly different chain names: PRE-VRMR-INPUT, > PRE-VRMR-OUTPUT, etc. to indicate the chains evalutated before > vuurmuur's rules. Yes, of course, these names are more explicit. > 3. while we are at it, i would like to extend the idea to the nat and > mangle tables as well, so people get maximum flexibility. Also right. I did see this side as we don't use today NAT and MANGLE, but just INPUT/OUTPUT/FORWARD. > What do you think? I agree with all your remarks. I'm very glad to heard that this solution is interesting for Vuurmuur. Now, how to proceed ? Would you like me to write the right and complete patch ? I can try, but not today because tomorrow I take my VOLKSWAGEN Kombi for 3 weeks of windsurfing in the south of France (computing is not all ;-) ! I think this is not urgent, so if you can wait for 3 weeks, we can see it together after my holidays ? Ok ? Many thanks for your answer, Alex. > Cheers! > Victor > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Vuurmuur-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/vuurmuur-users > > -- Alexandre SIMON Cellule Réseau StanNet/Lothaire C.I.R.I.L. | Perm. réseau : +33 (0)3.83.68.24.24 Château du Montet | Tél. direct : +33 (0)3.83.68.24.32 Rue du Doyen Roubault | Fax : +33 (0)3.83.68.24.01 F - 54500 VANDOEUVRE | Email : [EMAIL PROTECTED] ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Vuurmuur-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
