[pve-devel] pvefw security group questions

Alexandre DERUMIER aderumier at odiso.com
Thu Feb 27 12:43:34 CET 2014 

>>Note: we only jump to group if source == 1.2.3.4? 
>>Do we want such functionality? 

Can be usefull to do something like this for example

vm1.FW
GROUP-group1 net0 - - 80 - -


vm2.FW
GROUP-group1 net0 - - 22 - -


and 
[GROUP1]

ACCEPT 10.0.0.1 - - - -
ACCEPT 10.0.0.2 - - - -
ACCEPT 10.0.0.3 - - - -




>>[OUT] 
>>
>>GROUP-group1 net3 
>>GROUP-group2 net0  
>>
>>Note: Usage of 'net3' instead of 'net0' is a typo? Or do we want to allow that? >>

I would like to be able to setup different security group for each interface.
(I can have a vm with a lan interface and san/nfs interface for example, with differents rules)



>>We could avoid all those problems by introducing a [GROUPS] section: 
>>
>>--100.fw- 
>>[GROUPS] 
>>group1 net0 
>>group2 net0 
>>
>>[IN] 
>>
>>[OUT] 
>>
>>----- 
>>
>>what do you think?

mmm,I don't known, because like this we can't specify group rules order vs tap rules order.
If by example, I have a group rule with a DROP, and a tap rules with ACCEPT, and I want the group rule tested before the tap rule.
or reverse,
I have a tap rule with DROP and a group rule with ACCEPT, and I want the tap rule tested before the group rule



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER (aderumier at odiso.com)" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Jeudi 27 Février 2014 11:32:39 
Objet: pvefw security group questions 

I still have problems with the security group design, for example: 

--100.fw- 
[IN] 

GROUP-group1 net0 
GROUP-group2 net0 

[OUT] 

GROUP-group2 net0 
GROUP-group1 net0 
----- 

Note: group order is different between IN and OUT 

--100.fw- 
[IN] 

GROUP-group1 net0 1.2.3.4 
----- 

Note: we only jump to group if source == 1.2.3.4? 

Do we want such functionality? 

another example: 

--100.fw- 
[IN] 

GROUP-group1 net0 
GROUP-group2 net0 

[OUT] 

GROUP-group1 net3 
GROUP-group2 net0 
----- 

Note: Usage of 'net3' instead of 'net0' is a typo? Or do we want to allow that? 

We could avoid all those problems by introducing a [GROUPS] section: 

--100.fw- 
[GROUPS] 
group1 net0 
group2 net0 

[IN] 

[OUT] 

----- 

what do you think?

More information about the pve-devel mailing list