[pve-devel] Firewalling between vms

Dietmar Maurer dietmar at proxmox.com
Mon Jul 23 12:32:10 CEST 2012


see also:

http://www.montanalinux.org/proxmox-ve-with-shorewall-part2.html

seems shorewall only supports a single bridge device - is that still true?


> -----Original Message-----
> From: Michel Loiseleur [mailto:michel at loiseleur.com]
> Sent: Montag, 23. Juli 2012 11:45
> To: Dietmar Maurer
> Cc: pve-devel at pve.proxmox.com
> Subject: Re: Firewalling between vms
> 
> Ok. I wasn't aware of this "net.bridge.bridge-nf-call-iptables" sysctl
> parameter.
> 
> I'll take a deeper look and see what I can do with it.
> 
> Regards,
> 
> 
> ----- Mail original -----
> > That is simply not true. You  just need to change value in
> > /etc/sysctl.d/pve.conf.
> > I guess shorewall does that automatically if you configure
> > bridge-ports.
> >
> >
> > The initial question was how we can work around those limitations.
> >
> >
> > shorewall is by far the 'simplest' solution (believe me).
> >
> >
> > How do  you implement DNAT? Does that work with ebtables?
> > In future, we will extend the network model to have a routed setup, so
> > ebtable will not work anyways.
> >
> >
> > ebtables is not the way to go.
> >
> > I suggest you do more research on shorewall, and think about how we
> > can generate a reasonable setup with shorewall.
> >
> > - Dietmar
> >



More information about the pve-devel mailing list