[pve-devel] pvefw security group questions
Dietmar Maurer
dietmar at proxmox.com
Fri Feb 28 07:48:46 CET 2014
> Yes, Indeed, this can be tricky....
>
> Alternatively, for this kind of setup with rules with group rules with ip,
> maybe can we implemented ipset ?
never used that so far.
> This allow to create group/alias of ips or ports, and it's faster (hashtable) ipset
> -N groupip iphash --probes 8 ipset -A groupip 10.0.0.1 ipset -A groupip
> 10.0.0.2 ipset -A groupip 10.0.0.3
>
> iptables -A tapchain -dport 80 -m set --set groupip src -j ACCEPT iptables -A
> tapchain -dport 22 -m set --set groupip src -j ACCEPT
>
> It's faster,
So you want to create one ipset for each rule? Or simply allow users
to define groups of address, like:
----1000.fw---
[IPSET:groupip]
10.0.0.1 # first server IP
10.0.0.2 # second server IP
10.0.0.3 # third server IP
00:15:17:f8:c3:e5 # a MAC address?
what about ports?
...
[IN]
ACCEPT $groupip - tcp 22
----------
More information about the pve-devel
mailing list