[PVE-User] Re: How to create simplist firewall for Containers with Venet?
Giuliano Natali (Diaolin)
diaolin at diaolin.com
Tue Jul 3 09:17:15 CEST 2012
Bruce B wrote:
> Hi Everyone,
> I am looking for a very simple firewall or method that would prevent
> containers being able to ping each other or the mother node. Reason for
> this is so that other container or the mother node doesn't come under
> attack if one of the containers is confiscated.
shorewall i think is a good solution
for the site
apt-get install shorewall
> Currently, I am using pfSense to provide private IP subnet to all
> container and containers are either using Veth or Venet.
use a muted bridge
iface vmbr0 inet static
and attach to it the firewall itself and all containers
> However, using both methods
> I am still able to ping other containers and mother node.
of course, even in a normal lan you could not stop this
The netmask is your enemy!
I normally do so:
iface vmbr100 inet static
iface vmbr100 inet manual
and attach the container to each bridge
and even the firewall, the pfsense for example
In this manner you have
192.168.254.2/30 as container with gateway
and so on
if you need more information write directly to me...
> I am not looking
> to involve another firewall than I currently have and if I have to do
> anything on mother, I prefer it to be simple changes as management becomes
> a nightmare if I have to do iptables.
with shorewall the iptables is like a charme...
> Please advise as to what my options are.
> Much appreciated,
> pve-user mailing list
> pve-user at pve.proxmox.com
More information about the pve-user