[pve-devel] pvefw security group question

Alexandre DERUMIER aderumier at odiso.com
Tue Feb 18 17:33:16 CET 2014 

>>Yes, but you can also apply it for a single direction (only IN, only OUT)??

Yes, because I defined them explicitly IN or OUT

[IN:security1]  >> GROUP-security1-IN

ACCEPT - - - icmp - -

[OUT:security1]  >> GROUP-security1-OUT

ACCEPT - - - ssh - -



> vmid.fw 
> [IN] 
> GROUP-security1 net0 - - - - -    >> this apply GROUP-security1-IN
> 
> [OUT] 
> GROUP-security1 net0 - - - - -   >> this apply GROUP-security1-OUT


this give use

-A GROUP-security1-IN -p icmp -j ACCEPT
-A GROUP-security1-OUT -p ssh -j BRIDGEFW-IN
-A tapxi0-OUT -j GROUP-security1-OUT
-A tapxi0-IN -j GROUP-security1-IN


if you try to apply this

-A tap1i0-OUT -j GROUP-security1-IN

this is bad, because if you need to firewall tap1i0-OUT -> tap2-IN, it'll do an ACCEPT in group chain,
and bypass tap2 inbound rules.




----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 18 Février 2014 16:10:32 
Objet: RE: pvefw security group question 

> Currently you can apply the security group in both direction 
> 
> vmid.fw 
> [IN] 
> GROUP-security1 net0 - - - - - 
> 
> [OUT] 
> GROUP-security1 net0 - - - - - 
> 
> 
> but in vmid.fw, I only specify the GROUP name. 

Yes, but you can also apply it for a single direction (only IN, only OUT)?? 

> But in firewall.pm, I force $group.'-IN' or $group-'OUT. 
> to be sure that a wrong group-in is not in tap-out for example. 
> 
> Note, I have send a small fix yesterday on the mailing, " 
> @@ -430,7 +430,7 @@ sub generate_group_rules { 
> # we go the BRIDGEFW-IN because we need to check also other tap 
> rules 
> # (and group rules can be set on any bridge, so we can't go to 
> VMBRXX-IN) 
> $rule->{action} = 'BRIDGEFW-IN' if $rule->{action} eq 'ACCEPT'; 
> - ruleset_generate_rule($rule, $chain, $rule); 
> + ruleset_generate_rule($ruleset, $chain, $rule); 
> } 
> } 
> } 
> " 
> maybe this is because you can't apply the group rule in both direction ? 

OK, applied that. 

> >>Do you really want that (why)? 
> 
> We need to be carefull, because is GROUP-OUT we jump to BRIDGEFW-IN 
> instead ACCEPT. 
> 
> >>Or can we use an extra section for GROUPS, and always apply both 
> directions? 
> But we could defined 
> [GROUPS] 
> securityname1 net0 
> 
> and generate GROUP-IN and GROUP-OUT from this rule. (only difference is - 
> j ACCEPT or -j BRIDGEFW-IN) 

No. I just want to apply GROUP-IN and GROUP-OUT.

More information about the pve-devel mailing list