[pve-devel] pvefw security group question

Alexandre DERUMIER aderumier at odiso.com
Wed Feb 19 09:44:49 CET 2014


ok,I'll test last git, I think it should work.

(But finally, you create GROUP-IN and GROUP-OUT rules ? I thinked you wanted common group rules)




----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 19 Février 2014 08:03:57 
Objet: RE: [pve-devel] pvefw security group question 

> Not sure, you do a goto PVE_SPECIAL_ACCEPT, so it's finished in 
> PVE_SPECIAL_ACCEPT. 
> 
> But how do you go in the in vmbrX-IN, to check destination inbound rules ? 

here is an example: 

... 
create PVEFW-SET-ACCEPT-MARK (uGWkX9NXBZni/I1q1QPuKX6AX5w) 
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 1 

create GROUP-group1-IN (ero56fv6+VERm+VzEg8tBYCeC3Q) 
-A GROUP-group1-IN -p tcp --dport 22 -j ACCEPT 

create GROUP-group1-OUT (ftsSscJQ0Ev+Oi9l72TJRxz5UjE) 
-A GROUP-group1-OUT -j MARK --set-mark 0 
-A GROUP-group1-OUT -p tcp --dport 80 -g PVEFW-SET-ACCEPT-MARK 

update tap100i0-OUT (iXbuWZcc7VZC6uexpZjL4Nwg5uY) 
-A tap100i0-OUT -m state --state INVALID -j DROP 
-A tap100i0-OUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP 
-A tap100i0-OUT -j GROUP-group1-OUT 
-A tap100i0-OUT -m mark --mark 1 -j vmbr0-IN 
-A tap100i0-OUT -j LOG --log-prefix "tap100i0-OUT-dropped: " --log-level 4 
-A tap100i0-OUT -j DROP 



More information about the pve-devel mailing list