[pve-devel] pve-firewall : add ipfilter protection

Alexandre DERUMIER aderumier at odiso.com
Fri Jun 13 15:59:01 CEST 2014 

>>Seems like this one is never created:
>>[/etc/pve]# ip a l|grep fwbr
>>[/etc/pve]#

is your pve-common package updated ?  (It's managed in Network.pm)


----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer" <dietmar at proxmox.com> 
Envoyé: Vendredi 13 Juin 2014 15:49:18 
Objet: Re: [pve-devel] pve-firewall : add ipfilter protection 

Am 13.06.2014 15:47, schrieb Alexandre DERUMIER: 
>>> I did a complete shutdown / kill kvm process and a fresh start. 
> Should not be necessary. 
> the firewall=0|1 in net interface, is to create a new bridge fwbrxxx, tap is detached from vmbrX, attached to fwbrxxx, and fwbrxx is plugged to vmbrx through a veth pair. 
> So this is done online. 

Seems like this one is never created: 
[/etc/pve]# ip a l|grep fwbr 
[/etc/pve]# 


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Vendredi 13 Juin 2014 15:41:08 
> Objet: Re: [pve-devel] pve-firewall : add ipfilter protection 
> 
> 
> Am 13.06.2014 15:36, schrieb Alexandre DERUMIER: 
>>>> And you enabled the firewall on that network interface? (stop/restart VM required). 
>> No vm restart is needed, hopefully ;) 
> 
> I did a complete shutdown / kill kvm process and a fresh start. 
> 
> Grüße 
> 
>> ----- Mail original ----- 
>> 
>> De: "Dietmar Maurer" <dietmar at proxmox.com> 
>> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: pve-devel at pve.proxmox.com 
>> Envoyé: Vendredi 13 Juin 2014 14:54:32 
>> Objet: RE: [pve-devel] pve-firewall : add ipfilter protection 
>> 
>>> OK seems my testing is wrong. 
>>> 
>>> What is did: 
>>> 
>>> /etc/pve/firewall/2004.fw: 
>>> [IPSET ipfilter-net0] 
>>> 10.10.28.5 
>>> 
>>> I then enabled the Firewall for this VM. 
>> 
>> Also enabled the firewall in cluster.fw? 
>> 
>>> The VM has now 10.10.28.4 on net0 - but the VM is still able to make traffic with 
>>> 10.10.28.4. Anything i did wrong? 
>> 
>> And you enabled the firewall on that network interface? (stop/restart VM required). 
>> Are normal firewall rules working? 
>>

More information about the pve-devel mailing list