[pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces
Dietmar Maurer
dietmar at proxmox.com
Wed Feb 26 07:26:51 CET 2014
> with
> -A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT
> -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN
> -A vmbr0-FW -j ACCEPT
>
> or
> -A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT
> -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN
> -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT
> (maybe this is better ?)
>
> it's working fine
applied, but I have added another change:
https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff;h=fdb0bf200c4d48f0826c365ace8f126c535a4600
I now always use PVEFW-SET-ACCEPT-MARK for OUT chains, so that way we can
re-use chains for the host firewall.
any objections?
More information about the pve-devel
mailing list