[pve-devel] pvefw security group questions
Alexandre DERUMIER
aderumier at odiso.com
Thu Feb 27 17:04:25 CET 2014
>>So that DROP is simply skipped when you use:
>>
>>vm1.FW
>>GROUP-group1 net0 - - 80 - -
>>
>>That looks quite strange to me?
Yes, Indeed, this can be tricky....
Alternatively, for this kind of setup with rules with group rules with ip,
maybe can we implemented ipset ?
This allow to create group/alias of ips or ports, and it's faster (hashtable)
ipset -N groupip iphash --probes 8
ipset -A groupip 10.0.0.1
ipset -A groupip 10.0.0.2
ipset -A groupip 10.0.0.3
iptables -A tapchain -dport 80 -m set --set groupip src -j ACCEPT
iptables -A tapchain -dport 22 -m set --set groupip src -j ACCEPT
It's faster, and maybe avoid confusion
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Jeudi 27 Février 2014 16:04:25
Objet: RE: pvefw security group questions
> Can be usefull to do something like this for example
>
> vm1.FW
> GROUP-group1 net0 - - 80 - -
>
>
> vm2.FW
> GROUP-group1 net0 - - 22 - -
>
>
> and
> [GROUP1]
>
> ACCEPT 10.0.0.1 - - - -
> ACCEPT 10.0.0.2 - - - -
> ACCEPT 10.0.0.3 - - - -
I thought a security groupd would also defined thing which should be blocked, for example:
[GROUP1]
ACCEPT 10.0.0.1 - - - -
ACCEPT 10.0.0.2 - - - -
ACCEPT 10.0.0.3 - - - -
DROP - - udp -
So that DROP is simply skipped when you use:
vm1.FW
GROUP-group1 net0 - - 80 - -
That looks quite strange to me?
More information about the pve-devel
mailing list