[pve-devel] firewall option nosmurfs and tcpflags

Alexandre DERUMIER aderumier at odiso.com
Fri Apr 18 15:34:52 CEST 2014


>>but that only works if the optimize flag is set (else we do not have that rule)? 

I wanted to say something like:

    ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs") if $hostfw_options->{nosmurfs};
    ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-p tcp -j PVEFW-tcpflags") if $hostfw_options->{tcpflags};

    if($hostfw_options->{optimize}){

        my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : "ACCEPT";
        ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept");
        ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate INVALID -j DROP");
    }


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Vendredi 18 Avril 2014 10:30:28 
Objet: RE: firewall option nosmurfs and tcpflags 

> just put the rule in PVEFW-FORWARD, after 
> 
> -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP -A PVEFW- 
> FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 


More information about the pve-devel mailing list