[pve-devel] pve-firewall : datacenter drop/blacklist rules ?
Alexandre DERUMIER
aderumier at odiso.com
Mon Mar 24 18:17:45 CET 2014
Hi,
I'm thinking about a feature:
adding a datacenter global drop/blacklist rules
this could be useful in case of an attack,ddos... for example
adding at the begin of PVE-FORWARD,
a drop for matching ip (or maybe better, an ipset group "blacklist")
So, this avoid to parse all taps rules to finally drop
(which can be cpu heavy, as the connection is never established, and each packet need to be dropped, again and again)
also maybe adding a list of authorized ports
(in case of global ports scan attack, or if superadmin want to allowed only specific ports)
What do you think about it ?
(BTW, I'm working on ipset feature, I'll send patches after ips will be finished)
More information about the pve-devel
mailing list