[PVE-User] about ipfilter confusion
alex lu
lyt_yudi at icloud.com
Fri Feb 20 10:04:03 CET 2015
Thanks, if filter both(input and output)!,It's will very useful for me.
发自我的 iPhone
> 在 2015年2月17日,13:09,Dietmar Maurer <dietmar at proxmox.com> 写道:
>
>
>
>> On February 17, 2015 at 4:26 AM lyt_yudi <lyt_yudi at icloud.com> wrote:
>>
>>
>> hi,all
>>
>> follow this wiki: http://pve.proxmox.com/wiki/Proxmox_VE_Firewall
>> to set ipfilter for a vm,
>>
>> …...
>> [IPSET ipfilter-net0] # only allow specified IPs on net0
>>
>> 192.168.2.10
>> ……
>>
>> ……
>> exists PVEFW-100-ipfilter-net0-v4 (6/YhjSitJrLDzL68TOZLZTTyrdw)
>> create PVEFW-100-ipfilter-net0-v4 hash:net family inet hashsize 64
>> maxelem 64
>> add PVEFW-100-ipfilter-net0-v4 192.168.2.10
>> …...
>>
>> ……
>> exists tap100i0-IN (ZLbqszyZjHTbgigwssl+aZm4ogU)
>> -A tap100i0-IN -p udp --dport 68 --sport 67 -j ACCEPT
>> -A tap100i0-IN -m set --match-set PVEFW-0-vcloud-v4 src -j ACCEPT
>> -A tap100i0-IN -j PVEFW-Drop
>> -A tap100i0-IN -j NFLOG --nflog-prefix ":100:7:tap100i0-IN: policy
>> DROP: "
>> -A tap100i0-IN -j DROP
>> exists tap100i0-OUT (JwDnqsG9n2fnt8RZFCGMMl+rD90)
>> -A tap100i0-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
>> -A tap100i0-OUT -m mac ! --mac-source 86:E2:F4:1C:9D:31 -j DROP
>> -A tap100i0-OUT -m set ! --match-set PVEFW-100-ipfilter-net0-v4 src -j
>> DROP
>> -A tap100i0-OUT -j MARK --set-mark 0
>> -A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
>> ……
>>
>> puzzleing to me:
>>
>> from tap100i0-OUT to outside is DROP ?
>
> Not, it is "! --match-set PVEFW-100-ipfilter-net0-v4"
>
> Note: Notice the '!' (drop everything not matching)
>
>> from outside to tap100i0-IN is still ACCEPT ?
>
> Yes, we only filter output so far. It is unclear to me if we gain much
> when filter input also (would be easy to implement).
>
More information about the pve-user
mailing list