From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Wed 18 Dec 2002 - 01:19:46 GMT
On Wed, Dec 18, 2002 at 12:56:19AM +0000, Paul Sladen wrote:
> On Tue, 17 Dec 2002, Roderick A. Anderson wrote:
> Hi Rod,
> > I'd like to try and get this straight in my head - poor container that it
> > Ipchains do not work from in vservers.
> Ipchains won't work from the main server either, we're using
> netfilter/iptables now since 2.4...
hmm, in this case, what is the option
for? (taken from linux-2.4.20 *G*)
> Filtering is a kernel/system feature and therefore is prevented from access
> within a vserver; set it up in your host server...
> > If so then how do I control on a vserver by vserver the IPs and ports
> > that respond (or don't respond?)
> Which daemons you start on which ports will dictate which respond...
unbound port (per IP) will nit respond, bound will ...
> > In my situation I have total control over what is running in each
> > vserver but it varies for each vserver and may vary for each box I run
> > Vserver on.
> That probably helps, not having control over your own machines would
> probably leave you a bit stuck...
> > My concern/confusion is if I do the right thing and shut out everything
> > except ssh on the main server how will a vserver run a web-server, dns
> > server, or mail server only.
> Presumably you would only filter out traffic destined for the host-servers
> IP address, although if you're not running anything except NTP and SSH on
> that IP there's not really much to filter out anyway.
it is also advantageous, to use two separate nics
one for the physical/management net and another one
for the virtual server ips ... (again your mileage
HAND (Hard Acronym Not Done *smile*)
> HTH, HAND,
> Nottingham, GB