[pve-devel] pve-firewall : add ipfilter protection

Alexandre DERUMIER aderumier at odiso.com
Fri Jun 13 15:48:14 CEST 2014


>>Yes this was my intention. Even if the user disabled "his" firewall -
>>the datacenter admin still wants his ip filter and a mac filter set.

For this, we should also add a way to force firewall=1 for net0:... in vmid.conf

----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer" <dietmar at proxmox.com> 
Envoyé: Vendredi 13 Juin 2014 15:46:49 
Objet: Re: [pve-devel] pve-firewall : add ipfilter protection 

Am 13.06.2014 15:45, schrieb Alexandre DERUMIER: 
>>> Are the global rules really global or just copied to each VM while 
>>> they're created? 
> 
> I just see that we can define rules in cluster.fw, but I don't think they are applied anywhere ??? 
> 
> in cluster.fw, you can defined security group,ipset, aliases. 
> Then you can use them in rules in each vmid.fw. 
> 
> 
>>> Is it later possible to give a user the possibility to do its own 
>>> firewall stuff but not being allowed to EDIT my ipset filters for the 
>>> network cards? 
> 
> for ipfilter ipset, I don't think it's possible currently to define them in cluster.fw. 
> Maybe it could be a better place than vmid.fw ? as it should be the datacenter admin to manage this kind of filtering. 

Yes this was my intention. Even if the user disabled "his" firewall - 
the datacenter admin still wants his ip filter and a mac filter set. 

Stefan 


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Vendredi 13 Juin 2014 14:39:36 
> Objet: Re: [pve-devel] pve-firewall : add ipfilter protection 
> 
> Hi, 
> 
> OK my test setup is up and running. 
> 
> I'm not really familiar with the current firewall code in PVE. 
> 
> Are the global rules really global or just copied to each VM while 
> they're created? 
> 
> Is it later possible to give a user the possibility to do its own 
> firewall stuff but not being allowed to EDIT my ipset filters for the 
> network cards? 
> 
> Stefan 
> 
> Am 12.06.2014 10:41, schrieb Dietmar Maurer: 
>> 
>> 
>>> -----Original Message----- 
>>> From: Alexandre DERUMIER [mailto:aderumier at odiso.com] 
>>> Sent: Donnerstag, 12. Juni 2014 10:37 
>>> To: Dietmar Maurer 
>>> Cc: pve-devel at pve.proxmox.com; Stefan Priebe 
>>> Subject: Re: [pve-devel] pve-firewall : add ipfilter protection 
>>> 
>>> What is the netid for a openvz veth interface ? 
>>> 
>> 
>> eth0, eth1, ... 
>> 
>>> (maybe can we add an example ?) 
>> 
>> please add (send a patch). 
>> 



More information about the pve-devel mailing list