[PVE-User] Re: How to create simplist firewall for Containers with Venet?

Giuliano Natali (Diaolin) diaolin at diaolin.com
Tue Jul 3 09:17:15 CEST 2012

Bruce B wrote:
> Hi Everyone,
> I am looking for a very simple firewall or method that would prevent
> containers being able to ping each other or the mother node. Reason for
> this is so that other container or the mother node doesn't come under
> attack if one of the containers is confiscated.

shorewall i think is a good solution

for the site

apt-get install shorewall

> Currently, I am using pfSense to provide private IP subnet to all
> container and containers are either using Veth or Venet.

use a muted bridge

like this

auto vmbr0
iface vmbr0 inet static
	bridge_ports none
	bridge_stp off
	bridge_fd 0

and attach to it the firewall itself and all containers

> However, using both methods
> I am still able to ping other containers and mother node.

of course, even in a normal lan you could not stop this

The netmask is your enemy!

I normally do so:

auto vmbr100
iface vmbr100 inet static
	bridge_ports none
	bridge_stp off
	bridge_fd 0

auto vmbr101
iface vmbr100 inet manual
	bridge_ports none
	bridge_stp off
	bridge_fd 0

and attach the container to each bridge
and even the firewall, the pfsense for example

In this manner you have as container with gateway (pfsense)

and so on

if you need more information write directly to me...


> I am not looking
> to involve another firewall than I currently have and if I have to do
> anything on mother, I prefer it to be simple changes as management becomes
> a nightmare if I have to do iptables.

with shorewall the iptables is like a charme...

> Please advise as to what my options are.
> Much appreciated,
> Bruce
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

More information about the pve-user mailing list