[pve-devel] Firewalling Proxmox with Shorewall
Dietmar Maurer
dietmar at proxmox.com
Mon Aug 6 13:16:01 CEST 2012
> Now that I hope to have gained my "you're not anymore a complete noob in
> shorewall networking" medal, maybe I would be able to see what can I do
> about multiple bridges. It seems there's a start of answer here:
> http://www1.shorewall.net/bridge-Shorewall-perl.html#Multiple
>
> According to this page, one should be able to use a logical name in order to
> workaround uniqueness on port name.
I just set up a git repository for the firewall test code:
https://git.proxmox.com/?p=pve-firewall.git;a=summary
I think it can work this way, but I never tested it completely.
You can find an example vm firewall configuration in 'config/100.fw'
If you run ./fwtest.pl it generates an example shorewall config in 'testdir'
# ls -l testdir/
total 16
-rw-r--r-- 1 root root 805 Aug 6 12:48 interfaces
-rw-r--r-- 1 root root 105 Aug 6 12:48 policy
-rw-r--r-- 1 root root 288 Aug 6 12:48 rules
-rw-r--r-- 1 root root 589 Aug 6 12:48 zones
IDEA:
Each VM is inside a '$vmzone', by default 'vm$vmid'.
Or you can set the zone in the vm config (to group several vms
into the same zone).
We create one shorewall zone for each ${bridge} and ${vmzone},
and call that zone "z${bridge}${vmzone}".
If we have vlan $tag on that bridge, we create a zone
named "z${bridge}v${tag}${vmzone}".
Unfortunately zone names are limited to 5 characters, so we need
to translate the into short names. The current code adds the long
name as comment to the output files.
What do you think? Will that work?
- Dietmar
More information about the pve-devel
mailing list