[pve-devel] pvefw security group questions
Alexandre DERUMIER
aderumier at odiso.com
Thu Feb 27 16:58:16 CET 2014
>>Instead, I would restrict the group to be either in or out, but not both.
>>Or do we need a direction at all (why)?
I have done that like this, because I had RETURN or ACCEPT in group-in/out chains
But now that we are using mark, I think it can be ok !
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Jeudi 27 Février 2014 13:09:45
Objet: RE: pvefw security group questions
> >>Note: we only jump to group if source == 1.2.3.4?
> >>Do we want such functionality?
>
> Can be usefull to do something like this for example
>
> vm1.FW
> GROUP-group1 net0 - - 80 - -
>
>
> vm2.FW
> GROUP-group1 net0 - - 22 - -
>
>
> and
> [GROUP1]
>
> ACCEPT 10.0.0.1 - - - -
> ACCEPT 10.0.0.2 - - - -
> ACCEPT 10.0.0.3 - - - -
Ah
> >>[OUT]
> >>
> >>GROUP-group1 net3
> >>GROUP-group2 net0
> >>
> >>Note: Usage of 'net3' instead of 'net0' is a typo? Or do we want to allow
> that? >>
>
> I would like to be able to setup different security group for each interface.
> (I can have a vm with a lan interface and san/nfs interface for example, with
> differents rules)
>
>
>
> >>We could avoid all those problems by introducing a [GROUPS] section:
> >>
> >>--100.fw-
> >>[GROUPS]
> >>group1 net0
> >>group2 net0
> >>
> >>[IN]
> >>
> >>[OUT]
> >>
> >>-----
> >>
> >>what do you think?
>
> mmm,I don't known, because like this we can't specify group rules order vs
> tap rules order.
> If by example, I have a group rule with a DROP, and a tap rules with ACCEPT,
> and I want the group rule tested before the tap rule.
> or reverse,
> I have a tap rule with DROP and a group rule with ACCEPT, and I want the tap
> rule tested before the group rule
Ok, I guess I finally got what you want ;-)
The confusing part for me is that a single group can have IN and OUT sections:
---groups.fw---
[IN:group1]
ACCEPT - - tcp 22 -
[OUT:group1]
ACCEPT - - tcp 80 -
ACCEPT - - icmp - -
---------
Instead, I would restrict the group to be either in or out, but not both.
Or do we need a direction at all (why)?
---groups.fw---
[group1]
ACCEPT - - tcp 22 -
[group2]
ACCEPT - - tcp 80 -
ACCEPT - - icmp - -
---------
More information about the pve-devel
mailing list