[pve-devel] pve-firewall : add ipfilter protection
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Fri Jun 13 15:07:23 CEST 2014
Am 13.06.2014 14:54, schrieb Dietmar Maurer:
>> OK seems my testing is wrong.
>>
>> What is did:
>>
>> /etc/pve/firewall/2004.fw:
>> [IPSET ipfilter-net0]
>> 10.10.28.5
>>
>> I then enabled the Firewall for this VM.
>
> Also enabled the firewall in cluster.fw?
>
>> The VM has now 10.10.28.4 on net0 - but the VM is still able to make traffic with
>> 10.10.28.4. Anything i did wrong?
>
> And you enabled the firewall on that network interface? (stop/restart VM required).
> Are normal firewall rules working?
Some details:
- VM freshly started
- # cat /etc/pve/firewall/cluster.fw
[OPTIONS]
enable: 1
- # cat /etc/pve/firewall/2004.fw
[OPTIONS]
enable: 1
[IPSET ipfilter-net0]
10.10.28.5
That's it.
I then tried:
- # cat /etc/pve/firewall/2004.fw
[OPTIONS]
enable: 1
[IPSET ipfilter-net0]
10.10.28.5
[RULES]
OUT DROP -i net0 -p tcp -dport 80
But i can still download http content.
Stefan
More information about the pve-devel
mailing list