0

Using HaProxy as a SSH load balancer, We have HaProxy running in IP1:2222 and redirecting to IP1:2223-2233 and IP2:2223-2233.

In this case, do I need to open Firewall Ports from

  • Source IP:2222,2223-2233 to IP1:2223-2233 and IP2:2223-2233 or
  • Source IP:2222 to IP1:2222 and IP1:2222 to IP1:2223-2233 and IP2:2223-2233?

When I trace the route I don't see the request forwarding from LB to actual targets in the sftp/ssh -vvv logs.

iwaseatenbyagrue
  • 3,688
  • 15
  • 24
myloginid
  • 101
  • 3
  • I could not add HaProxy or load balancer tag. Can someone with more reputation do this pls – myloginid Mar 13 '17 at 03:51
  • 1
    There is no haproxy tag because haproxy is not related to information security. Apart from that it is unclear from your question where Source IP, IP1, IP2, haproxy in your network design and especially where the firewall is so it is impossible to tell how to configure the firewall. But my guess is that the firewall is between the client and the haproxy in which case only port 2222 need to be allowed since this is the port the client uses to access the haproxy. haproxy then creates a new connection for each client connection but these are inside the internal net and thus don't pass the firewall – Steffen Ullrich Mar 13 '17 at 05:54
  • @SteffenUllrich - Thanks. That answers the question. However in this case since all the data will also traverse via IP1, the network cards on that machine can get maxed out. – myloginid Mar 13 '17 at 06:23

1 Answers1

0

I assume haproxy IP is IP. In that case on your firewall you need to allow any port with source as IP to destination IP1:2223-2233 or destination IP2:2223-2233 Similarly allow traffic to haproxy destination IP:2222 from any port in your required source subnet In short source ports will be random >1024 picked by os based on availability. Source port won't be the same 2222

kalyan
  • 249
  • 1
  • 3
  • 11