[pve-devel] pve-firewall : datacenter drop/blacklist rules ?

[Alexandre DERUMIER]

>>That looks very specific, and not a general purpose setup.
>>Maybe we simply define 2 ipsets named 'Blacklist' and 'Whitelist'?

Yes, I think it's ok like this !


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Mardi 25 Mars 2014 05:58:04 
Objet: RE: [pve-devel] pve-firewall : datacenter drop/blacklist rules ? 

Hi Alexandre, 

first, my plan is to rename 'groups.fw' to 'cluster.fw'. That new file can also 
include a cluster wide 'rules' section, and we can add further sections 
if needed. 

> So, this avoid to parse all taps rules to finally drop (which can be cpu heavy, as 
> the connection is never established, and each packet need to be dropped, 
> again and again) 

That is the purpose of the firewall. 

> also maybe adding a list of authorized ports (in case of global ports scan 
> attack, or if superadmin want to allowed only specific ports) 
> 
> 
> What do you think about it ? 

That looks very specific, and not a general purpose setup. 

Maybe we simply define 2 ipsets named 'Blacklist' and 'Whitelist'? 

> (BTW, I'm working on ipset feature, I'll send patches after ips will be finished) 

Great. I am working on the API/GUI.