[pve-devel] pvefw security group questions

Alexandre DERUMIER aderumier at odiso.com
Thu Feb 27 16:58:16 CET 2014


>>Instead, I would restrict the group to be either in or out, but not both. 
>>Or do we need a direction at all (why)? 

I have done that like this, because I had RETURN or ACCEPT in group-in/out chains
But now that we are using mark, I think it can be ok !



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Jeudi 27 Février 2014 13:09:45 
Objet: RE: pvefw security group questions 

> >>Note: we only jump to group if source == 1.2.3.4? 
> >>Do we want such functionality? 
> 
> Can be usefull to do something like this for example 
> 
> vm1.FW 
> GROUP-group1 net0 - - 80 - - 
> 
> 
> vm2.FW 
> GROUP-group1 net0 - - 22 - - 
> 
> 
> and 
> [GROUP1] 
> 
> ACCEPT 10.0.0.1 - - - - 
> ACCEPT 10.0.0.2 - - - - 
> ACCEPT 10.0.0.3 - - - - 

Ah 

> >>[OUT] 
> >> 
> >>GROUP-group1 net3 
> >>GROUP-group2 net0 
> >> 
> >>Note: Usage of 'net3' instead of 'net0' is a typo? Or do we want to allow 
> that? >> 
> 
> I would like to be able to setup different security group for each interface. 
> (I can have a vm with a lan interface and san/nfs interface for example, with 
> differents rules) 
> 
> 
> 
> >>We could avoid all those problems by introducing a [GROUPS] section: 
> >> 
> >>--100.fw- 
> >>[GROUPS] 
> >>group1 net0 
> >>group2 net0 
> >> 
> >>[IN] 
> >> 
> >>[OUT] 
> >> 
> >>----- 
> >> 
> >>what do you think? 
> 
> mmm,I don't known, because like this we can't specify group rules order vs 
> tap rules order. 
> If by example, I have a group rule with a DROP, and a tap rules with ACCEPT, 
> and I want the group rule tested before the tap rule. 
> or reverse, 
> I have a tap rule with DROP and a group rule with ACCEPT, and I want the tap 
> rule tested before the group rule 

Ok, I guess I finally got what you want ;-) 

The confusing part for me is that a single group can have IN and OUT sections: 

---groups.fw--- 
[IN:group1] 

ACCEPT - - tcp 22 - 

[OUT:group1] 

ACCEPT - - tcp 80 - 
ACCEPT - - icmp - - 
--------- 

Instead, I would restrict the group to be either in or out, but not both. 
Or do we need a direction at all (why)? 

---groups.fw--- 
[group1] 

ACCEPT - - tcp 22 - 

[group2] 

ACCEPT - - tcp 80 - 
ACCEPT - - icmp - - 
--------- 



More information about the pve-devel mailing list