[pve-devel] Firewalling Proxmox with Shorewall
michel at loiseleur.com
Fri Aug 17 00:10:42 CEST 2012
I've came back from my holidays :). See my response below.
Le 06/08/2012 13:16, Dietmar Maurer a écrit :
> I just set up a git repository for the firewall test code:
It seems great and a good place to start hacking. I just needed to copy
sample 1XX.fw files into /etc/pve/firewall/ in order to test it.
> Unfortunately zone names are limited to 5 characters, so we need
> to translate the into short names. The current code adds the long
> name as comment to the output files.
> What do you think? Will that work?
First, You've made a useful trick for zone name limitations. It keeps
rules & policy readable despite this limitation.
It seems to work between vms, at least with a simple ping test.
With a simple 101.fw like this :
Ping(ACCEPT) net0 172.16.0.234 172.16.0.120
It works as attended : ping works from 172.16.0.234 to 172.16.0.120 and
doesn't from an other IP or from 172.16.0.120 to 172.16.0.234.
In shorewall rules files, it has generated 3 rules:
Ping(ACCEPT) $VMBR0:172.16.0.234 $VMBR0_VM101:tap101i0:172.16.0.120
Ping(ACCEPT) $VMBR0_EXT:172.16.0.234 $VMBR0_VM101:tap101i0:172.16.0.120
Ping(ACCEPT) $VMBR0_VM100:172.16.0.234 $VMBR0_VM101:tap101i0:172.16.0.120
Take note that this rule has the same effects as the three above:
Ping(ACCEPT) $VMBR0_VM100:tap100i0 $VMBR0_VM101:tap101i0
And this one should work for an external IP this vm:
Ping(ACCEPT) $VMBR0_EXT:X.X.X.X $VMBR0_VM101:tap101i0
What do you think about :
1) Renaming variables like $VMBR0VM100 to something like $VMBR_VM100 ?
2) Enhancing vm.fw syntax with a vm1XX:net0 syntax, instead of its IP ?
3) Enhancing vm.fw syntax with a brX syntax in order to get a rule like
Ping(ACCEPT) $VMBRX ...
4) By default, IP rules would produce only rules like this:
Ping(ACCEPT) $VMBR0_EXT:IP ...
I'll also check what I can about testing from an external work, but not
tonight. I am not sure, too, if this can work between 2 bridges.
More information about the pve-devel