[pve-devel] Firewalling Proxmox with Shorewall

Dietmar Maurer dietmar at proxmox.com
Mon Aug 6 13:16:01 CEST 2012


> Now that I hope to have gained my "you're not anymore a complete noob in
> shorewall networking" medal, maybe I would be able to see what can I do
> about multiple bridges. It seems there's a start of answer here:
> http://www1.shorewall.net/bridge-Shorewall-perl.html#Multiple
> 
> According to this page, one should be able to use a logical name in order to
> workaround uniqueness on port name.

I just set up a git repository for the firewall test code:

https://git.proxmox.com/?p=pve-firewall.git;a=summary

I think it can work this way, but I never tested it completely.

You can find an example vm firewall configuration in 'config/100.fw'

If you run ./fwtest.pl it generates an example shorewall config in 'testdir'

# ls -l testdir/
total 16
-rw-r--r-- 1 root root 805 Aug  6 12:48 interfaces
-rw-r--r-- 1 root root 105 Aug  6 12:48 policy
-rw-r--r-- 1 root root 288 Aug  6 12:48 rules
-rw-r--r-- 1 root root 589 Aug  6 12:48 zones

IDEA:

Each VM is inside a '$vmzone', by default 'vm$vmid'.
Or you can set the zone in the vm config (to group several vms
into the same zone).

We create one shorewall zone for each ${bridge} and ${vmzone},
and call that zone "z${bridge}${vmzone}". 

If we have vlan $tag on that bridge, we create a zone
named "z${bridge}v${tag}${vmzone}".

Unfortunately zone names are limited to 5 characters, so we need
to translate the into short names. The current code adds the long
name as comment to the output files.

What do you think? Will that work?

- Dietmar







More information about the pve-devel mailing list