[pve-devel] pvefw: use custom Drop/Reject
Alexandre DERUMIER
aderumier at odiso.com
Wed Feb 26 17:54:29 CET 2014
ok, seem great :)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mercredi 26 Février 2014 17:38:53
Objet: RE: pvefw: use custom Drop/Reject
> how is is implemented in tapchain for example ?
I currently only use it for the policy, but the plan us to use it for all DROP/REJECT.
-A tap100i0-OUT -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A tap100i0-OUT -p tcp -j PVEFW-tcpflags
-A tap100i0-OUT -m conntrack --ctstate INVALID -j DROP
-A tap100i0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A tap100i0-OUT -j GROUP-group1-OUT
-A tap100i0-OUT -m mark --mark 1 -j RETURN
-A tap100i0-OUT -p tcp --dport 80 -g PVEFW-SET-ACCEPT-MARK
# reject policy
-A tap100i0-OUT -j PVEFW-Reject
-A tap100i0-OUT -j LOG --log-prefix "tap100i0-OUT-reject: " --log-level 4
-A tap100i0-OUT -g PVEFW-reject
More information about the pve-devel
mailing list