[PVE-User] virtualization firewall

Michał Szamocki mszamocki at cirrus.pl
Fri Nov 6 11:50:51 CET 2009


Hello,

I represent Cirrus company from Poland. We are Linux and network administrators with 15 years of experience in offering Open Source solutions to business and over a year experience with OpenVZ paravirtualisation. Recently we have taken a closer look at Proxmox Virtual Environment and we are really excited about its usability. Our concern about it is missing firewall administration. However we have our firewall solution designed for virtualisation and we are interested in making it a part of Proxmox Virtual Environment.

Our firewall solution goals are:
- iptables based
- state aware
- allow only
- per VE configuration
- intranet/internet zones
- rules for any particular VE should be independent from traffic destination - whether it is network host or another VE
- full range of networking strategies support.

An attached package contains main script (etc/init.d/firewall) and some configuration examples (etc/default/firewallfile and etc/firewall directory). Sorry for polish comments in these files but we are ready to translate them as you find this project interesting.

The main concept of this firewall solution is to generate rules in HN environment for HN and VEs which are independent from traffic destination. Eg. With the same rule you can allow outgoing tcp traffic to http ports to whole internet and to other VEs or HN - which firewall rule allow incoming http traffic from internet. This is made by defining rules in user chains (INCOMING, OUTGOING, HN_INCOMING and HN_OUTGOING) attached to INPUT, OUTPUT and FORWARD chains. Another concept is to distinguish between private and internet traffic. It is made by marking packets on mangle table and checking marks by allow rules. Each packet is marked on it's income (bits 0 and 1) and right after routing decision is made (bits 2 and 3). 

If you have any question concerning our firewall solution I will be pleased to answer.
-- 
Michał Szamocki
Network Administrator
Cirrus - Aedificaremus Tibi
tel.: +48 58 7217000
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cirrus-firewall2.5_0.0.17_all.deb
Type: application/x-deb
Size: 7544 bytes
Desc: not available
URL: <http://pve.proxmox.com/pipermail/pve-user/attachments/20091106/1af386cb/attachment-0013.bin>


More information about the pve-user mailing list