interfering with heartbeat when the control connection runs on an
interface connected to internet
Alan Robertson
alanr@unix.sh
Wed, 20 Feb 2002 08:30:49 -0700
Lars Marowsky-Bree wrote:
>
> On 2002-02-20T13:32:58,
> Alex Kramarov <alex@incredimail.com> said:
>
> > what are the chances that someone could trigger a shutdown (or make both
> > nodes active in the same time) of heartbeat by sending a cpecially crafted
> > packets to the machines : since the protocol is udp, it's virtually
> > impossible to filter these packets by iptables on the cluster machines ?
>
> Well, of course you can always filter such incoming traffic, both on the nodes
> and more importantly on your firewall.
>
> But even then heartbeat has strong authentication for its communication and it
> shouldn't be possible for even sophisticated attackers to fake this.
>
> Look at the authkeys file.
You can also look at the ALS conference paper describing the communications
infrastructure. You can find it pointed to here:
http://www.linux-ha.org/comm/
-- Alan Robertson
alanr@unix.sh