[PVE-User] about ipfilter confusion

[lyt_yudi]

hi,all
	
	follow this wiki: http://pve.proxmox.com/wiki/Proxmox_VE_Firewall
	to set ipfilter for a vm, 

…...	
	[IPSET ipfilter-net0] # only allow specified IPs on net0
	
	192.168.2.10
……

……
exists PVEFW-100-ipfilter-net0-v4 (6/YhjSitJrLDzL68TOZLZTTyrdw)
        create PVEFW-100-ipfilter-net0-v4 hash:net family inet hashsize 64 maxelem 64
        add PVEFW-100-ipfilter-net0-v4 192.168.2.10
…...

……
exists tap100i0-IN (ZLbqszyZjHTbgigwssl+aZm4ogU)
        -A tap100i0-IN -p udp --dport 68 --sport 67 -j ACCEPT
        -A tap100i0-IN -m set --match-set PVEFW-0-vcloud-v4 src -j ACCEPT
        -A tap100i0-IN -j PVEFW-Drop
        -A tap100i0-IN -j NFLOG --nflog-prefix ":100:7:tap100i0-IN: policy DROP: "
        -A tap100i0-IN -j DROP
exists tap100i0-OUT (JwDnqsG9n2fnt8RZFCGMMl+rD90)
        -A tap100i0-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
        -A tap100i0-OUT -m mac ! --mac-source 86:E2:F4:1C:9D:31 -j DROP
        -A tap100i0-OUT -m set ! --match-set PVEFW-100-ipfilter-net0-v4 src -j DROP
        -A tap100i0-OUT -j MARK --set-mark 0
        -A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
……

puzzleing to me:

from tap100i0-OUT to outside is DROP ?

from outside to tap100i0-IN is still ACCEPT ?

Thanks!


lyt_yudi
lyt_yudi at icloud.com



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2345 bytes
Desc: not available
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20150217/e0dc556e/attachment.bin>