[pve-devel] [PATCH docs 2/3] pvesdn: add note to port isolation to use firewall in clusters
Aaron Lauterer
a.lauterer at proxmox.com
Wed Nov 20 13:02:04 CET 2024
since port isolation is only local on the host. To get better port
isolation, the VNET firewall can be used.
Signed-off-by: Aaron Lauterer <a.lauterer at proxmox.com>
---
pvesdn.adoc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/pvesdn.adoc b/pvesdn.adoc
index 2e24dd2..1541e54 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -388,6 +388,10 @@ but not for the interface itself. This means guests can only send traffic to
non-isolated bridge-ports, which is the bridge itself. In order for this setting
to take effect, you need to restart the affected guest.
+NOTE: Port isolation is local to each host. Use the
+xref:pvesdn_firewall_integration[VNET Firewall] to further isolate traffic in
+the VNET across nodes. For example, DROP by default and only allow traffic from
+the IP subnet to the gateway and the vice versa.
[[pvesdn_config_subnet]]
Subnets
--
2.39.5
More information about the pve-devel
mailing list