[pve-devel] pvefw security group questions
Alexandre DERUMIER
aderumier at odiso.com
Fri Feb 28 08:10:15 CET 2014
>>So you want to create one ipset for each rule?
no
>>Or simply allow users
>>to define groups of address, like:
yes :) Advantage could also to easy use this groupip, in group of rules.
I would like also to be able to share theses groupip between differents guests.
I could be great to have something like:
vm1 : group1
vm2: group2
group1 : allow ssh from ipgroup
group2 : allow http from ipgroup
>>
>>----1000.fw---
>>[IPSET:groupip]
>>
>>10.0.0.1 # first server IP
>>10.0.0.2 # second server IP
>>10.0.0.3 # third server IP
>>00:15:17:f8:c3:e5 # a MAC address?
ipset can manage ip-mac groups (need both).
But I'm not sure using mac is a good idea, because you can only do iptables rules with source mac, and not destination mac
>>what about ports?
yes, it's also possible de do port groups
all type of hash group that ipset support : http://ipset.netfilter.org/features.html
shorewall also support ipsets : http://shorewall.net/ipsets.html
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Vendredi 28 Février 2014 07:48:46
Objet: RE: pvefw security group questions
> Yes, Indeed, this can be tricky....
>
> Alternatively, for this kind of setup with rules with group rules with ip,
> maybe can we implemented ipset ?
never used that so far.
> This allow to create group/alias of ips or ports, and it's faster (hashtable) ipset
> -N groupip iphash --probes 8 ipset -A groupip 10.0.0.1 ipset -A groupip
> 10.0.0.2 ipset -A groupip 10.0.0.3
>
> iptables -A tapchain -dport 80 -m set --set groupip src -j ACCEPT iptables -A
> tapchain -dport 22 -m set --set groupip src -j ACCEPT
>
> It's faster,
So you want to create one ipset for each rule? Or simply allow users
to define groups of address, like:
----1000.fw---
[IPSET:groupip]
10.0.0.1 # first server IP
10.0.0.2 # second server IP
10.0.0.3 # third server IP
00:15:17:f8:c3:e5 # a MAC address?
what about ports?
...
[IN]
ACCEPT $groupip - tcp 22
----------
More information about the pve-devel
mailing list