[pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall

Dietmar Maurer dietmar at proxmox.com
Mon May 11 06:22:28 CEST 2015


> How do are you doing that? Creating a group didn't adds anything in
> FORWARD chain. And linux netfilter is forwarding all packets from one
> bridge to the other (I am using the host as a "router" for the
> bridges).

The idea is to create a group with all rules you want to apply, for example:

# cat /etc/pve/firewall/cluster.fw 
[group group1]
IN ACCEPT -dest 10.1.1.0/24 -p tcp -dport 80

Then you can use this group for all VMs on vmbr1:

# cat /etc/pve/firewall/100.fw 
[RULES]
GROUP group1

The disadvantage is that you need to configure that group rule 
for each VM. Some time ago there was an idea to add mandatory 
groups, so that all VMs automatically apply rules from those groups.

Or is there another reason you want to use the 'FORWARD' chain?
 
> 2015-05-10 17:04 GMT+02:00 Dietmar Maurer <dietmar at proxmox.com>:
> >> *guests in vmbr1 are allowed to receive external traffic only on port 80
> >> *guests in vmbr2 are allowed only to receive only traffic on mysql
> >> port from 10.1.1.0/24
> >>
> >> set FORWARDING policy to REJECT or DROP
> >> add rules:
> >> * chain FORWARD from any to 10.1.1.0/24 port tcp/80 accept
> >> * chain FORWARD from 10.1.1.0/25 to 10.1.2.0/24 port tcp/3306 accept
> >
> > Why don't you use a security group for that?
> >
> 




More information about the pve-devel mailing list