[pve-devel] pvefw security group question
Alexandre DERUMIER
aderumier at odiso.com
Tue Feb 18 13:32:03 CET 2014
>>It is currently possible to partly apply security groups, only for one direction.
Currently you can apply the security group in both direction
vmid.fw
[IN]
GROUP-security1 net0 - - - - -
[OUT]
GROUP-security1 net0 - - - - -
but in vmid.fw, I only specify the GROUP name.
But in firewall.pm, I force $group.'-IN' or $group-'OUT.
to be sure that a wrong group-in is not in tap-out for example.
Note, I have send a small fix yesterday on the mailing,
"
@@ -430,7 +430,7 @@ sub generate_group_rules {
# we go the BRIDGEFW-IN because we need to check also other tap rules
# (and group rules can be set on any bridge, so we can't go to VMBRXX-IN)
$rule->{action} = 'BRIDGEFW-IN' if $rule->{action} eq 'ACCEPT';
- ruleset_generate_rule($rule, $chain, $rule);
+ ruleset_generate_rule($ruleset, $chain, $rule);
}
}
}
"
maybe this is because you can't apply the group rule in both direction ?
>>Do you really want that (why)?
We need to be carefull, because is GROUP-OUT we jump to BRIDGEFW-IN instead ACCEPT.
>>Or can we use an extra section for GROUPS, and always apply both directions?
But we could defined
[GROUPS]
securityname1 net0
and generate GROUP-IN and GROUP-OUT from this rule. (only difference is -j ACCEPT or -j BRIDGEFW-IN)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER (aderumier at odiso.com)" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 18 Février 2014 12:59:18
Objet: pvefw security group question
It is currently possible to partly apply security groups, only for one direction.
Do you really want that (why)? Or can we use an extra section for GROUPS, and always
apply both directions?
------------------------------
[GROUPS]
securityname1 net0
------------------------------
More information about the pve-devel
mailing list