[pve-devel] pvefw security group questions

Dietmar Maurer dietmar at proxmox.com
Fri Feb 28 07:48:46 CET 2014


> Yes, Indeed, this can be tricky....
> 
> Alternatively, for this kind of setup with rules with  group rules with ip,
> maybe can we implemented ipset ?

never used that so far.

> This allow to create group/alias of ips or ports, and it's faster (hashtable) ipset
> -N groupip iphash --probes 8 ipset -A groupip 10.0.0.1 ipset -A groupip
> 10.0.0.2 ipset -A groupip 10.0.0.3
> 
> iptables -A tapchain -dport 80 -m set --set groupip src -j ACCEPT iptables -A
> tapchain -dport 22 -m set --set groupip src -j ACCEPT
> 
> It's faster, 

So you want to create one ipset for each rule? Or simply allow users 
to define groups of address, like:

----1000.fw---
[IPSET:groupip]

10.0.0.1 # first server IP
10.0.0.2 # second server IP
10.0.0.3 # third server IP
00:15:17:f8:c3:e5 # a MAC address?
what about ports?

...

[IN]

ACCEPT $groupip - tcp 22
----------




More information about the pve-devel mailing list