Hi,
am [Tue, 11 Dec 2001 12:45:16 -0000] schrieb "Tim Sellar" <[EMAIL PROTECTED]> : > Just an update that the issue with iptables is not being ignored. However, > we have been concentrating on removing the need for iptables by getting > Apache to run securely on port 80.... Details as soon as the testing is > completed.. hmm, if this would cause loosing the possibility to install new, generic apaches than I would really, really prefer the iptables version. Everyone should become familiar with iptables a little bit, because of security and traffic measurement issues. Bringing iptables away wouldn't help noone on the long run. regards jimmy > > Tim > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Simon Garner > > Sent: 10 December 2001 02:22 > > To: Chris Fulton > > Cc: freevsd-support > > Subject: Re: [Openvds-devel] iptables > > > > > > Hi Chris, > > > > > > > > From my understanding, and experience with this same problem 'connecting > > > to self' I have observed that connections made from the VS start sockets > > > on eth0 when one would hope it would use eth0:2. In other words, use the > > > virtual interface instead of the real one. > > > > > > > Ah, okay, just tested this... If I lynx to port 8080 on the VS > > from the host > > server, in the logs this request appears with the VS's IP instead of the > > host server's. So it appears that traffic to alias interfaces on the local > > machine always appears to originate from that same alias interface... > > > > That's a slightly different issue to what you're talking about. But it > > doesn't really explain why the iptables rules don't work, since > > those rules > > are not placing any restriction on the source address. Presumably > > it instead > > means the rule is not getting executed at all. > > > > > > > Another related issue: > > > If you send youself some email from your VS account to an account on a > > > different server and look at the headers you will see that your host > > > server will be exposed due to the fact that the smtp server you connect > > > to will do a reverse lookup on your ip and discover the host server, not > > > the vs, since the packets originate from there. > > > > > > > Yep, not sure that could be fixed without hacking the Linux IP stack. > > > > > > > I think this is probably the biggest problem with running an effective > > > VS at the moment. Here is my understanding: If all VS' connections > > > originate from '127.0.0.1' on the host server, do all my clients have > > > access to VSD protocol? Yes. You have to allow it to be able to use > > > vsdadm from the command line. I'm sure there plenty of other reasons to > > > want VS' connections to originate from the VS' ip not the host's ip, and > > > not allow access to 127.0.0.1 from the VS. > > > > As long as you use the SSL version of VSD this shouldn't be a > > problem since > > the VS users won't have access to your certificate. (They'll be able to > > connect to the svsd service but won't be able to authenticate. Just like > > they can probably connect to your ssh service but can't login.) > > > > Cheers, > > > > Simon > > > > ------------------------- The freeVSD Support List > > -------------------------- > > Subscribe: mailto:[EMAIL PROTECTED]?body=subscribe%20freevsd-support > > Unsubscribe: > mailto:[EMAIL PROTECTED]?body=unsubscribe%20freevsd-support > Archives: http://freevsd.org/support/mail-archives/freevsd-support > ---------------------------------------------------------------------------- > - > > ------------------------- The freeVSD Support List -------------------------- > Subscribe: mailto:[EMAIL PROTECTED]?body=subscribe%20freevsd-support > Unsubscribe: mailto:[EMAIL PROTECTED]?body=unsubscribe%20freevsd-support > Archives: http://freevsd.org/support/mail-archives/freevsd-support > ----------------------------------------------------------------------------- James T. Koerting KSD Germany [EMAIL PROTECTED] Murphy's Law: "Anything that can go wrong, will go wrong" Parkinson's Law: "Work expands to exceed available time" Koerting's Law: "Don't fight against these laws" ------------------------- The freeVSD Support List -------------------------- Subscribe: mailto:[EMAIL PROTECTED]?body=subscribe%20freevsd-support Unsubscribe: mailto:[EMAIL PROTECTED]?body=unsubscribe%20freevsd-support Archives: http://freevsd.org/support/mail-archives/freevsd-support -----------------------------------------------------------------------------
