[pve-devel] pvefw security group questions

Dietmar Maurer dietmar at proxmox.com
Thu Feb 27 13:09:45 CET 2014


> >>Note: we only jump to group if source == 1.2.3.4?
> >>Do we want such functionality?
> 
> Can be usefull to do something like this for example
> 
> vm1.FW
> GROUP-group1 net0 - - 80 - -
> 
> 
> vm2.FW
> GROUP-group1 net0 - - 22 - -
> 
> 
> and
> [GROUP1]
> 
> ACCEPT 10.0.0.1 - - - -
> ACCEPT 10.0.0.2 - - - -
> ACCEPT 10.0.0.3 - - - -

Ah
 
> >>[OUT]
> >>
> >>GROUP-group1 net3
> >>GROUP-group2 net0
> >>
> >>Note: Usage of 'net3' instead of 'net0' is a typo? Or do we want to allow
> that? >>
> 
> I would like to be able to setup different security group for each interface.
> (I can have a vm with a lan interface and san/nfs interface for example, with
> differents rules)
> 
> 
> 
> >>We could avoid all those problems by introducing a [GROUPS] section:
> >>
> >>--100.fw-
> >>[GROUPS]
> >>group1 net0
> >>group2 net0
> >>
> >>[IN]
> >>
> >>[OUT]
> >>
> >>-----
> >>
> >>what do you think?
> 
> mmm,I don't known, because like this we can't specify group rules order vs
> tap rules order.
> If by example, I have a group rule with a DROP, and a tap rules with ACCEPT,
> and I want the group rule tested before the tap rule.
> or reverse,
> I have a tap rule with DROP and a group rule with ACCEPT, and I want the tap
> rule tested before the group rule

Ok, I guess I finally got what you want ;-)

The confusing part for me is that a single group can have IN and OUT sections:

---groups.fw---
[IN:group1]

ACCEPT - - tcp 22 -

[OUT:group1]

ACCEPT - - tcp 80 -
ACCEPT - - icmp - -
---------

Instead, I would restrict the group to be either in or out, but not both.
Or do we need a direction at all (why)?

---groups.fw---
[group1]

ACCEPT - - tcp 22 -

[group2]

ACCEPT - - tcp 80 -
ACCEPT - - icmp - -
---------




More information about the pve-devel mailing list