[pve-devel] pvefw security group questions
Dietmar Maurer
dietmar at proxmox.com
Fri Feb 28 07:56:56 CET 2014
> >>Instead, I would restrict the group to be either in or out, but not both.
> >>Or do we need a direction at all (why)?
>
> I have done that like this, because I had RETURN or ACCEPT in group-in/out
> chains But now that we are using mark, I think it can be ok !
Thought more about that, and I guess the correct way would be to
use a common section for all rules (instead of separate IN and OUT sections).
For example:
---groups.fw----
[group1]
IN ACCEPT 10.0.0.1
IN ACCEPT 10.0.0.2
OUT ACCEPT 10.0.0.2
----------
----100.fw----
[RULES]
IN SSH(ACCEPT) net0
OUT HTTP(ACCEPT) net0
GROUP group1
OUT HTTPS(DROP) net0
----------
Not sure if that is easy to understand for average user?
More information about the pve-devel
mailing list