[pve-devel] pve-firewall questions

Alexandre DERUMIER aderumier at odiso.com
Mon Jan 20 09:42:13 CET 2014


Ok, thanks.

I'll read the shorewall doc a little more.

By the way, any reason to use shorewall instead iptables directly ?

I'm reading openstack and cloustack firewall code, implementation is not too difficult
----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Lundi 20 Janvier 2014 07:22:33 
Objet: RE: [pve-devel] pve-firewall questions 

> i'm begin to read pve-firewall README 
> https://git.proxmox.com/?p=pve- 
> firewall.git;a=blob;f=README;h=0d90df5b54f10cd38cbc11895744296fc7479126 
> ;hb=b486ed3b930807586eb1038c60682d5e8a8637f8 
> 
> About zones: 
> 
> >>We simply define one zone for each bridge/vm pair. 
> 
> 
> So, we need to define 1 zone by vm ? 
> 
> If yes, this seem strange. What I have in mind, is to define 1 zone for multiple 
> vms, with no filtering inside the zone by default. 
> Then configure firewall rules between the differents zones. 

You normally want to setup a firewall for each VM - for example each customer want 
to have a firewall for his VMs. 

But we may also allow other groups like VM pools, or global rules. 

> If we need to defined rules, for each vm, one by one, I'll take a lot of time, and 
> the number of rules will be very big. (and could lead to performance problem) 
> 
> Does I miss something ? 

It must be possible to define rules at different levels: 

- for any network interface in the VM 
- for each VM (sum of all network interfaces of a VM) 
- for a VM pool (list of VMs) 
- at global level (all VMs) 



More information about the pve-devel mailing list