[pve-devel] firewall : cluster.fw [rules] section ?

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Mon Jul 7 09:12:14 CEST 2014


Am 06.07.2014 12:21, schrieb Alexandre DERUMIER:
>>> IPX, NetBEUI
> 
> Do you think they are used in 2014 ? ;)  , don't have used them since the 90's.

I know some people still running a heavily isolated win95 installation
or even dos ;-)

Stefan

> ----- Mail original ----- 
> 
> De: "Stefan Priebe" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Samedi 5 Juillet 2014 21:14:31 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
> Am 05.07.2014 14:18, schrieb Alexandre DERUMIER: 
>>>> Maybe simply: 
>>>>
>>>> protocols: ARP, IPV4, IPV6 
>>
>> No objection for me. 
>>
>> @Stefan, do you think we need other protocols inside a vm ? 
> 
> You mean we hardcode them instead of using /etc/ethertype? Mhm most 
> probably 802_1Q, PPP, IPX, NetBEUI. 
> 
>> BTW, I'll also rework my ipv6 patch. 
>>
>> I thinked about extend $ruleset, to something like 
>>
>> $ruleset->{iptables}->{filter} 
>> $ruleset->{iptables}->{nat} 
>> $ruleset->{ip6tables}->{filter} 
>> $ruleset->{ebtables}->{filter} 
>>
>> Like this, we can manage multi commands and filters. 
>>
>> What do you think about it ? 
> Sound great. 
> 
>> Also, for ebtables, they are ebtables-save and ebtables-restore (same format than iptables), 
>> but they are not provided by debian ebtables package.(debian remove them in their patches). 
>> do you think we can provide a pve-ebtables package ? 
> 
> Strange why do they delete it in their package? I think dietmar has to 
> decide whether an own ebtables package makes sense. Is the syntax not 
> compatible with the atomic load of the ebtabls file? 
> 
> Stefan 
> 
>> ----- Mail original ----- 
>>
>> De: "Dietmar Maurer" <dietmar at proxmox.com> 
>> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Samedi 5 Juillet 2014 05:49:22 
>> Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ? 
>>
>>> It would be really nice if we can also define a set of protocols allowed for this 
>>> VM. 
>>>
>>> For example: 
>>> layer2filter_protocls: ARP,IPV4,IPV6 
>>
>> Maybe simply: 
>>
>> protocols: ARP, IPV4, IPV6 
>>


More information about the pve-devel mailing list