[PVE-User] less a firewall rule?
Alexandre DERUMIER
aderumier at odiso.com
Mon Jul 28 09:45:24 CEST 2014
can you provide firewall config files ?
/etc/pve/firewall/<vmid>.fw
/etc/pve/firewall/cluster.fw
----- Mail original -----
De: "lyt_yudi" <lyt_yudi at icloud.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: "proxmoxve (pve-user at pve.proxmox.com)" <pve-user at pve.proxmox.com>
Envoyé: Lundi 28 Juillet 2014 09:37:59
Objet: less a firewall rule?
hi,Dietmar, Alexandre
when I tested firewall for a vm, have a problem. some rules as follows:
…...
exists tap101i0-IN (BTEOhWV/v+Zl6CQWeg2ZJDm8Vbk)
-A tap101i0-IN -p udp --dport 68 --sport 67 -j ACCEPT
-A tap101i0-IN -j PVEFW-Drop
-A tap101i0-IN -j NFLOG --nflog-prefix ":101:7:tap101i0-IN: policy DROP: "
-A tap101i0-IN -j DROP
exists tap101i0-OUT (x7NhU3mpqGhLeZq46V3iXxrU25E)
-A tap101i0-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -m mac ! --mac-source 76:A4:04:1D:4F:BE -j DROP
-A tap101i0-OUT -j MARK --set-mark 0
-A tap101i0-OUT -g PVEFW-SET-ACCEPT-MARK
exists tap101i1-IN (7PKojdznbQ+5daSJnZK2atU9BHY)
-A tap101i1-IN -p udp --dport 68 --sport 67 -j ACCEPT
-A tap101i1-IN -m set --match-set PVEFW-0-testnet src -j ACCEPT
-A tap101i1-IN -j PVEFW-Drop
-A tap101i1-IN -j NFLOG --nflog-prefix ":101:7:tap101i1-IN: policy DROP: "
-A tap101i1-IN -j DROP
exists tap101i1-OUT (TmXwL3AjUtJkFHtwoEVqon/JArQ)
-A tap101i1-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
-A tap101i1-OUT -m mac ! --mac-source CA:24:FC:72:CE:EC -j DROP
-A tap101i1-OUT -j MARK --set-mark 0
-A tap101i1-OUT -g PVEFW-SET-ACCEPT-MARK
……
why for tap101i0-IN have no this rule:
…….
-A tap101i0-IN -m set --match-set PVEFW-0-testnet src -j ACCEPT
…….
#this vm conf:
balloon: 2048
bootdisk: virtio0
cores: 4
cpuunits: 10000
hotplug: 1
memory: 4096
name: test2
net0: virtio=76:A4:04:1D:4F:BE,bridge=vmbr1,tag=40,firewall=1
net1: virtio=CA:24:FC:72:CE:EC,bridge=vmbr1,tag=3009,firewall=1
onboot: 0
ostype: l26
sockets: 1
virtio0: c051401:vm-101-disk-1,size=32G
I have tested it a few times(disable firewall for net0 and reenable firewall for net0,and shutdown this vm ,also the same wrong.)
bug for the second vm rule is correct:
…...
exists tap103i0-IN (qR3fhxLpBwau+mwYpGORriUkchU)
-A tap103i0-IN -p udp --dport 68 --sport 67 -j ACCEPT
-A tap103i0-IN -m set --match-set PVEFW-0-testnet src -j ACCEPT
-A tap103i0-IN -j PVEFW-Drop
-A tap103i0-IN -j NFLOG --nflog-prefix ":103:7:tap103i0-IN: policy DROP: "
-A tap103i0-IN -j DROP
exists tap103i0-OUT (gjMtlzzvQKkF68JPWemW8Qu2fJ8)
-A tap103i0-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
-A tap103i0-OUT -m mac ! --mac-source CE:60:6C:FB:81:4F -j DROP
-A tap103i0-OUT -j MARK --set-mark 0
-A tap103i0-OUT -g PVEFW-SET-ACCEPT-MARK
exists tap103i1-IN (68gAcGFOIN2RENZVA38EeZlG8tQ)
-A tap103i1-IN -p udp --dport 68 --sport 67 -j ACCEPT
-A tap103i1-IN -m set --match-set PVEFW-0-testnet src -j ACCEPT
-A tap103i1-IN -j PVEFW-Drop
-A tap103i1-IN -j NFLOG --nflog-prefix ":103:7:tap103i1-IN: policy DROP: "
-A tap103i1-IN -j DROP
exists tap103i1-OUT (FeGjbt3klifLfGifM/M1okkEWAQ)
-A tap103i1-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
-A tap103i1-OUT -m mac ! --mac-source 9E:1B:EB:D9:25:91 -j DROP
-A tap103i1-OUT -j MARK --set-mark 0
-A tap103i1-OUT -g PVEFW-SET-ACCEPT-MARK
…...
there, if i use ping from 103i0 to 101i0, get error: Request timed out
where are something wrong for me?
thanks you!
More information about the pve-user
mailing list