[pve-devel] pve-firewall questions
Alexandre DERUMIER
aderumier at odiso.com
Mon Jan 20 09:42:13 CET 2014
Ok, thanks.
I'll read the shorewall doc a little more.
By the way, any reason to use shorewall instead iptables directly ?
I'm reading openstack and cloustack firewall code, implementation is not too difficult
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Lundi 20 Janvier 2014 07:22:33
Objet: RE: [pve-devel] pve-firewall questions
> i'm begin to read pve-firewall README
> https://git.proxmox.com/?p=pve-
> firewall.git;a=blob;f=README;h=0d90df5b54f10cd38cbc11895744296fc7479126
> ;hb=b486ed3b930807586eb1038c60682d5e8a8637f8
>
> About zones:
>
> >>We simply define one zone for each bridge/vm pair.
>
>
> So, we need to define 1 zone by vm ?
>
> If yes, this seem strange. What I have in mind, is to define 1 zone for multiple
> vms, with no filtering inside the zone by default.
> Then configure firewall rules between the differents zones.
You normally want to setup a firewall for each VM - for example each customer want
to have a firewall for his VMs.
But we may also allow other groups like VM pools, or global rules.
> If we need to defined rules, for each vm, one by one, I'll take a lot of time, and
> the number of rules will be very big. (and could lead to performance problem)
>
> Does I miss something ?
It must be possible to define rules at different levels:
- for any network interface in the VM
- for each VM (sum of all network interfaces of a VM)
- for a VM pool (list of VMs)
- at global level (all VMs)
More information about the pve-devel
mailing list