[pve-devel] pve-firewall : add ipfilter protection
Stefan Priebe
s.priebe at profihost.ag
Wed Jun 11 21:59:11 CEST 2014
Am 11.06.2014 17:45, schrieb Dietmar Maurer:
>> Think of private ip space may be there is the same networks in net0 and net1.
>
> I think it is a very bad network design - and not very common? Do you really use such setup? If so, why?
If i control all networks no ;-) But we often have situation where we
control one part and a customer control the other part. So it can easily
happen that we use the same private networks for different purposes. I
just don't know what the customer uses on the internal side.
>> Or traffic on net1 is free of charge but traffic on net0 isn't someone could use a
>> 2nd vm as a router.
>
> how exactly?
>
>> Or someone can use a private ip range but only on net1 which is last limited to
>> 10mb/s and not on net0 which is 10gb/s.
>
> Traffic is not routed if you try to use the wrong interface, so I can't see how that happens.
I'm talking about internal VM traffic - routing doesn't matter.
I think we loose a lot of features without it. I really liked
alexandre's idea as it binds IPs to MAC / network cards AND it allows us
to add a PVE dhcp server later as we already know which IP is on which
interface.
Stefan
More information about the pve-devel
mailing list