[pve-devel] pve-firewall : add ipfilter protection

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Fri Jun 13 15:46:49 CEST 2014 

Am 13.06.2014 15:45, schrieb Alexandre DERUMIER:
>>> Are the global rules really global or just copied to each VM while 
>>> they're created? 
> 
> I just see that we can define rules in cluster.fw, but I don't think they are applied anywhere ???
> 
> in cluster.fw, you can defined security group,ipset, aliases.
> Then you can use them in rules in each vmid.fw.
> 
> 
>>> Is it later possible to give a user the possibility to do its own 
>>> firewall stuff but not being allowed to EDIT my ipset filters for the 
>>> network cards? 
> 
> for ipfilter ipset, I don't think it's possible currently to define them in cluster.fw.
> Maybe it could be a better place than vmid.fw ? as it should be the datacenter admin to manage this kind of filtering.

Yes this was my intention. Even if the user disabled "his" firewall -
the datacenter admin still wants his ip filter and a mac filter set.

Stefan


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Vendredi 13 Juin 2014 14:39:36 
> Objet: Re: [pve-devel] pve-firewall : add ipfilter protection 
> 
> Hi, 
> 
> OK my test setup is up and running. 
> 
> I'm not really familiar with the current firewall code in PVE. 
> 
> Are the global rules really global or just copied to each VM while 
> they're created? 
> 
> Is it later possible to give a user the possibility to do its own 
> firewall stuff but not being allowed to EDIT my ipset filters for the 
> network cards? 
> 
> Stefan 
> 
> Am 12.06.2014 10:41, schrieb Dietmar Maurer: 
>>
>>
>>> -----Original Message----- 
>>> From: Alexandre DERUMIER [mailto:aderumier at odiso.com] 
>>> Sent: Donnerstag, 12. Juni 2014 10:37 
>>> To: Dietmar Maurer 
>>> Cc: pve-devel at pve.proxmox.com; Stefan Priebe 
>>> Subject: Re: [pve-devel] pve-firewall : add ipfilter protection 
>>>
>>> What is the netid for a openvz veth interface ? 
>>>
>>
>> eth0, eth1, ... 
>>
>>> (maybe can we add an example ?) 
>>
>> please add (send a patch). 
>>

More information about the pve-devel mailing list