[pve-devel] cluster FW seperated from vm fw?

Stefan Priebe s.priebe at profihost.ag
Wed Jun 18 21:14:59 CEST 2014


Am 18.06.2014 16:04, schrieb Alexandre DERUMIER:
>>> Is there any reason to enable a VM firewall just by checking the box at
>>> the interface and ignore the cluster fw setting?
>
> you can have a cluster.fw with only
>
> "
> [OPTIONS]
>
> # enable firewall (cluster wide setting, default is disabled)
> enable: 1
>
> # default policy for host rules
> policy_in: DROP
> policy_out: ACCEPT
> "
>
> (aliases|ipset|group  are defined, to be reused in vmid.fw rules, if you want, but it's optionnal)
>
>
> and to disable host firewall (iptables input|ouput filter)
>
> # /etc/pve/local/host.fw
> [OPTIONS]
> enable: 0
>
>
> should be enough to disable host.fw

ah OK. Sorry so many firewall options everywhere.

Thanks!

Stefan


>
>
>
>
>
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: pve-devel at pve.proxmox.com
> Envoyé: Mercredi 18 Juin 2014 15:46:45
> Objet: [pve-devel] cluster FW seperated from vm fw?
>
> Hi,
>
> is there any reason why VM firewall support is directly combined with
> cluster firewall?
>
> I mean it's nice if PVE brings it's own firewall for the host nodes but
> for people like me who already have their firewall concepts for the host
> nodes it a mess.
>
> I really would like only to use the firewall for the VMs itself.
>
> Is there any reason to enable a VM firewall just by checking the box at
> the interface and ignore the cluster fw setting?
>
> Stefan
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>



More information about the pve-devel mailing list