[pve-devel] pve-firewall : add ipfilter protection
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Fri Jun 13 15:49:18 CEST 2014
Am 13.06.2014 15:47, schrieb Alexandre DERUMIER:
>>> I did a complete shutdown / kill kvm process and a fresh start.
> Should not be necessary.
> the firewall=0|1 in net interface, is to create a new bridge fwbrxxx, tap is detached from vmbrX, attached to fwbrxxx, and fwbrxx is plugged to vmbrx through a veth pair.
> So this is done online.
Seems like this one is never created:
[/etc/pve]# ip a l|grep fwbr
[/etc/pve]#
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Vendredi 13 Juin 2014 15:41:08
> Objet: Re: [pve-devel] pve-firewall : add ipfilter protection
>
>
> Am 13.06.2014 15:36, schrieb Alexandre DERUMIER:
>>>> And you enabled the firewall on that network interface? (stop/restart VM required).
>> No vm restart is needed, hopefully ;)
>
> I did a complete shutdown / kill kvm process and a fresh start.
>
> Grüße
>
>> ----- Mail original -----
>>
>> De: "Dietmar Maurer" <dietmar at proxmox.com>
>> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com>
>> Cc: pve-devel at pve.proxmox.com
>> Envoyé: Vendredi 13 Juin 2014 14:54:32
>> Objet: RE: [pve-devel] pve-firewall : add ipfilter protection
>>
>>> OK seems my testing is wrong.
>>>
>>> What is did:
>>>
>>> /etc/pve/firewall/2004.fw:
>>> [IPSET ipfilter-net0]
>>> 10.10.28.5
>>>
>>> I then enabled the Firewall for this VM.
>>
>> Also enabled the firewall in cluster.fw?
>>
>>> The VM has now 10.10.28.4 on net0 - but the VM is still able to make traffic with
>>> 10.10.28.4. Anything i did wrong?
>>
>> And you enabled the firewall on that network interface? (stop/restart VM required).
>> Are normal firewall rules working?
>>
More information about the pve-devel
mailing list