[pve-devel] pve-firewall : datacenter drop/blacklist rules ?

[Dietmar Maurer]

Hi Alexandre,

first, my plan is to rename 'groups.fw' to 'cluster.fw'.  That new file can also 
include a cluster wide 'rules' section, and we can add further sections
if needed.

> So, this avoid to parse all taps rules to finally drop (which can be cpu heavy, as
> the connection is never established, and each packet need to be dropped,
> again and again)

That is the purpose of the firewall.

> also maybe adding a list of authorized ports (in case of global ports scan
> attack, or if superadmin want to allowed only specific ports)
> 
> 
> What do you think about it ?

That looks very specific, and not a general purpose setup. 

Maybe we simply define 2 ipsets named 'Blacklist' and 'Whitelist'?

> (BTW, I'm working on ipset feature, I'll send patches after ips will be finished)

Great. I am working on the API/GUI.