[PVE-User] less a firewall rule?

lyt_yudi lyt_yudi at icloud.com
Mon Jul 28 09:37:59 CEST 2014


hi,Dietmar, Alexandre

when I tested firewall for a vm, have a problem. some rules as follows:  

…...
exists tap101i0-IN (BTEOhWV/v+Zl6CQWeg2ZJDm8Vbk)
        -A tap101i0-IN -p udp --dport 68 --sport 67 -j ACCEPT
        -A tap101i0-IN -j PVEFW-Drop
        -A tap101i0-IN -j NFLOG --nflog-prefix ":101:7:tap101i0-IN: policy DROP: "
        -A tap101i0-IN -j DROP
exists tap101i0-OUT (x7NhU3mpqGhLeZq46V3iXxrU25E)
        -A tap101i0-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
        -A tap101i0-OUT -m mac ! --mac-source 76:A4:04:1D:4F:BE -j DROP
        -A tap101i0-OUT -j MARK --set-mark 0
        -A tap101i0-OUT -g PVEFW-SET-ACCEPT-MARK
exists tap101i1-IN (7PKojdznbQ+5daSJnZK2atU9BHY)
        -A tap101i1-IN -p udp --dport 68 --sport 67 -j ACCEPT
        -A tap101i1-IN -m set --match-set PVEFW-0-testnet src -j ACCEPT
        -A tap101i1-IN -j PVEFW-Drop
        -A tap101i1-IN -j NFLOG --nflog-prefix ":101:7:tap101i1-IN: policy DROP: "
        -A tap101i1-IN -j DROP
exists tap101i1-OUT (TmXwL3AjUtJkFHtwoEVqon/JArQ)
        -A tap101i1-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
        -A tap101i1-OUT -m mac ! --mac-source CA:24:FC:72:CE:EC -j DROP
        -A tap101i1-OUT -j MARK --set-mark 0
        -A tap101i1-OUT -g PVEFW-SET-ACCEPT-MARK
……


why for tap101i0-IN have no this rule:
…….	
 	-A tap101i0-IN -m set --match-set PVEFW-0-testnet src -j ACCEPT
…….

#this vm conf:
balloon: 2048
bootdisk: virtio0
cores: 4
cpuunits: 10000
hotplug: 1
memory: 4096
name: test2
net0: virtio=76:A4:04:1D:4F:BE,bridge=vmbr1,tag=40,firewall=1
net1: virtio=CA:24:FC:72:CE:EC,bridge=vmbr1,tag=3009,firewall=1
onboot: 0
ostype: l26
sockets: 1
virtio0: c051401:vm-101-disk-1,size=32G

I have tested it a few times(disable firewall for net0 and reenable firewall for net0,and shutdown this vm ,also the same wrong.)
bug for the second vm rule is correct:
…...
exists tap103i0-IN (qR3fhxLpBwau+mwYpGORriUkchU)
        -A tap103i0-IN -p udp --dport 68 --sport 67 -j ACCEPT
        -A tap103i0-IN -m set --match-set PVEFW-0-testnet src -j ACCEPT
        -A tap103i0-IN -j PVEFW-Drop
        -A tap103i0-IN -j NFLOG --nflog-prefix ":103:7:tap103i0-IN: policy DROP: "
        -A tap103i0-IN -j DROP
exists tap103i0-OUT (gjMtlzzvQKkF68JPWemW8Qu2fJ8)
        -A tap103i0-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
        -A tap103i0-OUT -m mac ! --mac-source CE:60:6C:FB:81:4F -j DROP
        -A tap103i0-OUT -j MARK --set-mark 0
        -A tap103i0-OUT -g PVEFW-SET-ACCEPT-MARK
exists tap103i1-IN (68gAcGFOIN2RENZVA38EeZlG8tQ)
        -A tap103i1-IN -p udp --dport 68 --sport 67 -j ACCEPT
        -A tap103i1-IN -m set --match-set PVEFW-0-testnet src -j ACCEPT
        -A tap103i1-IN -j PVEFW-Drop
        -A tap103i1-IN -j NFLOG --nflog-prefix ":103:7:tap103i1-IN: policy DROP: "
        -A tap103i1-IN -j DROP
exists tap103i1-OUT (FeGjbt3klifLfGifM/M1okkEWAQ)
        -A tap103i1-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
        -A tap103i1-OUT -m mac ! --mac-source 9E:1B:EB:D9:25:91 -j DROP
        -A tap103i1-OUT -j MARK --set-mark 0
        -A tap103i1-OUT -g PVEFW-SET-ACCEPT-MARK
…...

there, if i use ping from 103i0 to 101i0, get error: Request timed out

where are something wrong for me?

thanks you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20140728/689648c9/attachment.htm>


More information about the pve-user mailing list