[pve-devel] pve-common : linux bridge and ovs new modelimplementation v2
Daniel Hunsaker
danhunsaker at gmail.com
Thu May 1 23:14:15 CEST 2014
Multicast doesn't have destination IPs to filter by, so multicast traffic
leaving a node can't be filtered that way by the node. As to filtering it
coming in, it might be possible to prevent VMs/CTs from seeing the Proxmox
multicast data by simply preventing it from being forwarded to those
interfaces. But you'll still have the multicast across your LAN either
way, because that's how multicast works.
On May 1, 2014 1:52 PM, "Cesar Peschiera" <brain at click.com.py> wrote:
> It's not possible with a firewall to say only send multicast traffic to a
>> specific host.
>> (or it's not multicast anymore ;)
>>
>
> But, i think that is possible, while PVE is transmitting in mode multicast
> by ports UDP 5404 and 5405, the firewall can drop the packets for all
> except for the IP addresses that are the PVE Nodes.
>
> A example in iptables (we know that the order of the rules is important
> for get this target):
>
> iptables -A OUTPUT -o <a-IP-address-of-PVE-Node> -p udp -m multiport
> --ports 5404,5405 -j ACCEPT
> iptables -A OUTPUT -o <other-IP-address-of-Other-PVE-Node> -p udp -m
> multiport --ports 5404,5405 -j ACCEPT
> #And finally the magic rule:
> iptables -A OUTPUT -p udp -m multiport --ports 5404,5405 -j DROP
>
> i see it very simple, or i am missing of something?
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20140501/128161e0/attachment.htm>
More information about the pve-devel
mailing list