[pve-devel] Firewalling Proxmox with Shorewall
dietmar at proxmox.com
Fri Aug 17 09:58:39 CEST 2012
> > > And this one should work for an external IP this vm:
> > > Ping(ACCEPT) $VMBR0_EXT:X.X.X.X $VMBR0_VM101:tap101i0
> And that's the same for this case: If I want to filter from an external IP, this
> rule should be enough.
> Is this more clear ?
Yes, but we want a solution which work for all scenarios. IMHO, my solution works
in both cases. Or what exactly does not work?
> > > What do you think about :
> > > 1) Renaming variables like $VMBR0VM100 to something like
> > > $VMBR_VM100
> > Why do you want to drop the bridge number? Or do you just want to add
> > an underscore? Like $VMBR0_VM100 - that would be OK for me.
> It's just an underscore, sorry for the typo. I'll send the patch, then.
> > > 2) Enhancing vm.fw syntax with a vm1XX:net0 syntax, instead of its
> > > IP ?
> > Using IPs is standard, so it makes no sense to remove that feature.
> > The purpose is not
> > to select a specific VM. You use that to limit access to/from certain
> > external IPs.
> > But you are right, we can allow VM zone names additionally.
> > > 3) Enhancing vm.fw syntax with a brX syntax in order to get a rule
> > > like
> > I guess we need two different rules files. One for the VMs (this is
> > implemented), and one per node (or cluster wide).
> > The node wide rules files can have normal shorewall syntax, and we can
> > allow to use zone variables like $VMBR0_VM100. That file can only be
> > edited by admin, so we can basically allow all shorewall features
> > there (DNAT, SNAT, ...)
> I agree with you, we need a node wide rules files. When I tested, gui was not
> accessible and I knew that my ssh won't be able to reconnect.
Maybe we can add some default rules to allow ssh, https traffic?
> > > I am not sure, too, if this can work between 2 bridges.
> > This will not work between different bridges, and this is intended
> > behaviour.
> > If someone wants that, he needs to use a routed network setup (like
> > openvz venet).
> > Do you think this limitation will bite us? I don't really think that
> > is needed.
> ATM, it's not really clear in my mind what a routed network setup can look
Like OpenVZ containers with venet.
> But my guess is clearly "No", provided the fact that it's clear in the doc.
> Firewall can be deactivated easily and completely. So if one would like to
> implement firewall in a different software or appliance (like a FortiGate or a
> Checkpoint), he would be able to do that.
More information about the pve-devel