[pve-devel] Firewalling Proxmox with Shorewall

Dietmar Maurer dietmar at proxmox.com
Fri Aug 17 09:58:39 CEST 2012


> > > And this one should work for an external IP this vm:
> > > Ping(ACCEPT)    $VMBR0_EXT:X.X.X.X $VMBR0_VM101:tap101i0
> And that's the same for this case: If I want to filter from an external IP, this
> rule should be enough.
> 
> Is this more clear ?

Yes, but we want a solution which work for all scenarios. IMHO, my solution works
in both cases. Or what exactly does not work?

> > > What do you think about :
> > > 1) Renaming variables like $VMBR0VM100 to something like
> > > $VMBR_VM100
> >
> > Why do you want to drop the bridge number? Or do you just want to add
> > an underscore? Like $VMBR0_VM100 - that would be OK for me.
> 
> It's just an underscore, sorry for the typo. I'll send the patch, then.

OK

> > > 2) Enhancing vm.fw syntax with a vm1XX:net0 syntax, instead of its
> > > IP ?
> >
> > Using IPs is standard, so it makes no sense to remove that feature.
> > The purpose is not
> > to select a specific VM. You use that to limit access to/from certain
> > external IPs.
> >
> > But you are right, we can allow VM zone names additionally.

Yes

> > > 3) Enhancing vm.fw syntax with a brX syntax in order to get a rule
> > > like
> >
> > I guess we need two different rules files. One for the VMs (this is
> > implemented), and one per node (or cluster wide).
> >
> > The node wide rules files can have normal shorewall syntax, and we can
> > allow to use zone variables like  $VMBR0_VM100. That file can only be
> > edited by admin, so we can basically allow all shorewall features
> > there (DNAT, SNAT, ...)
> 
> I agree with you, we need a node wide rules files. When I tested, gui was not
> accessible and I knew that my ssh won't be able to reconnect.

Maybe we can add some default rules to allow ssh, https traffic?

> > > I am not sure, too, if this can work between 2 bridges.
> >
> > This will not work between different bridges, and this is intended
> > behaviour.
> > If someone wants that, he needs to use a routed network setup (like
> > openvz venet).
> >
> > Do you think this limitation will bite us? I don't really think that
> > is needed.
> 
> ATM, it's not really clear in my mind what a routed network setup can look
> like. 

Like OpenVZ containers with venet.

> But my guess is clearly "No", provided the fact that it's clear in the doc.
> Firewall can be deactivated easily and completely. So if one would like to
> implement firewall in a different software or appliance (like a FortiGate or a
> Checkpoint), he would be able to do that.

ok


More information about the pve-devel mailing list