[pve-devel] pve-firewall : add ipfilter protection
Alexandre DERUMIER
aderumier at odiso.com
Fri Jun 13 15:48:14 CEST 2014
>>Yes this was my intention. Even if the user disabled "his" firewall -
>>the datacenter admin still wants his ip filter and a mac filter set.
For this, we should also add a way to force firewall=1 for net0:... in vmid.conf
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer" <dietmar at proxmox.com>
Envoyé: Vendredi 13 Juin 2014 15:46:49
Objet: Re: [pve-devel] pve-firewall : add ipfilter protection
Am 13.06.2014 15:45, schrieb Alexandre DERUMIER:
>>> Are the global rules really global or just copied to each VM while
>>> they're created?
>
> I just see that we can define rules in cluster.fw, but I don't think they are applied anywhere ???
>
> in cluster.fw, you can defined security group,ipset, aliases.
> Then you can use them in rules in each vmid.fw.
>
>
>>> Is it later possible to give a user the possibility to do its own
>>> firewall stuff but not being allowed to EDIT my ipset filters for the
>>> network cards?
>
> for ipfilter ipset, I don't think it's possible currently to define them in cluster.fw.
> Maybe it could be a better place than vmid.fw ? as it should be the datacenter admin to manage this kind of filtering.
Yes this was my intention. Even if the user disabled "his" firewall -
the datacenter admin still wants his ip filter and a mac filter set.
Stefan
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Vendredi 13 Juin 2014 14:39:36
> Objet: Re: [pve-devel] pve-firewall : add ipfilter protection
>
> Hi,
>
> OK my test setup is up and running.
>
> I'm not really familiar with the current firewall code in PVE.
>
> Are the global rules really global or just copied to each VM while
> they're created?
>
> Is it later possible to give a user the possibility to do its own
> firewall stuff but not being allowed to EDIT my ipset filters for the
> network cards?
>
> Stefan
>
> Am 12.06.2014 10:41, schrieb Dietmar Maurer:
>>
>>
>>> -----Original Message-----
>>> From: Alexandre DERUMIER [mailto:aderumier at odiso.com]
>>> Sent: Donnerstag, 12. Juni 2014 10:37
>>> To: Dietmar Maurer
>>> Cc: pve-devel at pve.proxmox.com; Stefan Priebe
>>> Subject: Re: [pve-devel] pve-firewall : add ipfilter protection
>>>
>>> What is the netid for a openvz veth interface ?
>>>
>>
>> eth0, eth1, ...
>>
>>> (maybe can we add an example ?)
>>
>> please add (send a patch).
>>
More information about the pve-devel
mailing list