[pve-devel] pvefw security group questions

Alexandre DERUMIER aderumier at odiso.com
Thu Feb 27 17:04:25 CET 2014


>>So that DROP is simply skipped when you use: 
>>
>>vm1.FW 
>>GROUP-group1 net0 - - 80 - - 
>>
>>That looks quite strange to me? 

Yes, Indeed, this can be tricky....

Alternatively, for this kind of setup with rules with  group rules with ip,
maybe can we implemented ipset ?

This allow to create group/alias of ips or ports, and it's faster (hashtable)
ipset -N groupip iphash --probes 8
ipset -A groupip 10.0.0.1
ipset -A groupip 10.0.0.2
ipset -A groupip 10.0.0.3

iptables -A tapchain -dport 80 -m set --set groupip src -j ACCEPT
iptables -A tapchain -dport 22 -m set --set groupip src -j ACCEPT

It's faster, and maybe avoid confusion



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Jeudi 27 Février 2014 16:04:25 
Objet: RE: pvefw security group questions 

> Can be usefull to do something like this for example 
> 
> vm1.FW 
> GROUP-group1 net0 - - 80 - - 
> 
> 
> vm2.FW 
> GROUP-group1 net0 - - 22 - - 
> 
> 
> and 
> [GROUP1] 
> 
> ACCEPT 10.0.0.1 - - - - 
> ACCEPT 10.0.0.2 - - - - 
> ACCEPT 10.0.0.3 - - - - 

I thought a security groupd would also defined thing which should be blocked, for example: 

[GROUP1] 

ACCEPT 10.0.0.1 - - - - 
ACCEPT 10.0.0.2 - - - - 
ACCEPT 10.0.0.3 - - - - 
DROP - - udp - 

So that DROP is simply skipped when you use: 

vm1.FW 
GROUP-group1 net0 - - 80 - - 

That looks quite strange to me? 



More information about the pve-devel mailing list