[pve-devel] Firewalling Proxmox with Shorewall

Loiseleur Michel michel at loiseleur.com
Fri Aug 17 00:10:42 CEST 2012 

Hi,

I've came back from my holidays :). See my response below.

Le 06/08/2012 13:16, Dietmar Maurer a écrit :
> [...]
>
> I just set up a git repository for the firewall test code:
>
> https://git.proxmox.com/?p=pve-firewall.git;a=summary
It seems great and a good place to start hacking. I just needed to copy 
sample 1XX.fw files into /etc/pve/firewall/ in order to test it.

> [...]
> Unfortunately zone names are limited to 5 characters, so we need
> to translate the into short names. The current code adds the long
> name as comment to the output files.
>
> What do you think? Will that work?

First, You've made a useful trick for zone name limitations. It keeps 
rules & policy readable despite this limitation.

It seems to work between vms, at least with a simple ping test.
With a simple 101.fw like this :
[IN]
SSH(ACCEPT)
Ping(ACCEPT) net0 172.16.0.234 172.16.0.120

[OUT]
DNS(ACCEPT) net0
SSH(ACCEPT)
HTTP(ACCEPT) net0

It works as attended : ping works from 172.16.0.234 to 172.16.0.120 and 
doesn't from an other IP or from 172.16.0.120 to 172.16.0.234.

In shorewall rules files, it has generated 3 rules:
Ping(ACCEPT)    $VMBR0:172.16.0.234 $VMBR0_VM101:tap101i0:172.16.0.120
Ping(ACCEPT)    $VMBR0_EXT:172.16.0.234 $VMBR0_VM101:tap101i0:172.16.0.120
Ping(ACCEPT)    $VMBR0_VM100:172.16.0.234 $VMBR0_VM101:tap101i0:172.16.0.120

Take note that this rule has the same effects as the three above:
Ping(ACCEPT)    $VMBR0_VM100:tap100i0          $VMBR0_VM101:tap101i0

And this one should work for an external IP this vm:
Ping(ACCEPT)    $VMBR0_EXT:X.X.X.X $VMBR0_VM101:tap101i0

What do you think about :
1) Renaming variables like $VMBR0VM100 to something like $VMBR_VM100  ?
2) Enhancing vm.fw syntax with a vm1XX:net0 syntax, instead of its IP ?
3) Enhancing vm.fw syntax with a brX syntax in order to get a rule like 
this:
Ping(ACCEPT)    $VMBRX            ...
4) By default, IP rules would produce only rules like this:
Ping(ACCEPT)    $VMBR0_EXT:IP        ...

I'll also check what I can about testing from an external work, but not 
tonight. I am not sure, too, if this can work between 2 bridges.

Regards,
-- 
Michel Loiseleur

More information about the pve-devel mailing list