[PVE-User] Re: How to create simplist firewall for Containers with Venet?

[Giuliano Natali (Diaolin)]

Bruce B wrote:
> Hi Everyone,
>
> I am looking for a very simple firewall or method that would prevent
> containers being able to ping each other or the mother node. Reason for
> this is so that other container or the mother node doesn't come under
> attack if one of the containers is confiscated.
>

shorewall i think is a good solution

shorewall.net
for the site

apt-get install shorewall

> Currently, I am using pfSense to provide private IP subnet to all
> container and containers are either using Veth or Venet.

use a muted bridge

like this

auto vmbr0
iface vmbr0 inet static
	address 192.168.254.254
	netmask 255.255.255.0
	network 192.168.254.0
	bridge_ports none
	bridge_stp off
	bridge_fd 0


and attach to it the firewall itself and all containers

> However, using both methods
> I am still able to ping other containers and mother node.

of course, even in a normal lan you could not stop this
behavior.

The netmask is your enemy!
:-)

I normally do so:

auto vmbr100
iface vmbr100 inet static
	bridge_ports none
	bridge_stp off
	bridge_fd 0

auto vmbr101
iface vmbr100 inet manual
	bridge_ports none
	bridge_stp off
	bridge_fd 0


and attach the container to each bridge
and even the firewall, the pfsense for example

In this manner you have

192.168.254.2/30 as container with gateway
192.168.254.1 (pfsense)

and so on

if you need more information write directly to me...


Diaolin



> I am not looking
> to involve another firewall than I currently have and if I have to do
> anything on mother, I prefer it to be simple changes as management becomes
> a nightmare if I have to do iptables.

with shorewall the iptables is like a charme...

>
> Please advise as to what my options are.
>
> Much appreciated,
> Bruce
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>