[PVE-User] less a firewall rule?

Alexandre DERUMIER aderumier at odiso.com
Mon Jul 28 09:45:24 CEST 2014 

can you provide firewall config files ?

/etc/pve/firewall/<vmid>.fw
/etc/pve/firewall/cluster.fw


----- Mail original ----- 

De: "lyt_yudi" <lyt_yudi at icloud.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "proxmoxve (pve-user at pve.proxmox.com)" <pve-user at pve.proxmox.com> 
Envoyé: Lundi 28 Juillet 2014 09:37:59 
Objet: less a firewall rule? 


hi,Dietmar, Alexandre 


when I tested firewall for a vm, have a problem. some rules as follows: 


…... 
exists tap101i0-IN (BTEOhWV/v+Zl6CQWeg2ZJDm8Vbk) 
-A tap101i0-IN -p udp --dport 68 --sport 67 -j ACCEPT 
-A tap101i0-IN -j PVEFW-Drop 
-A tap101i0-IN -j NFLOG --nflog-prefix ":101:7:tap101i0-IN: policy DROP: " 
-A tap101i0-IN -j DROP 
exists tap101i0-OUT (x7NhU3mpqGhLeZq46V3iXxrU25E) 
-A tap101i0-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK 
-A tap101i0-OUT -m mac ! --mac-source 76:A4:04:1D:4F:BE -j DROP 
-A tap101i0-OUT -j MARK --set-mark 0 
-A tap101i0-OUT -g PVEFW-SET-ACCEPT-MARK 
exists tap101i1-IN (7PKojdznbQ+5daSJnZK2atU9BHY) 
-A tap101i1-IN -p udp --dport 68 --sport 67 -j ACCEPT 
-A tap101i1-IN -m set --match-set PVEFW-0-testnet src -j ACCEPT 
-A tap101i1-IN -j PVEFW-Drop 
-A tap101i1-IN -j NFLOG --nflog-prefix ":101:7:tap101i1-IN: policy DROP: " 
-A tap101i1-IN -j DROP 
exists tap101i1-OUT (TmXwL3AjUtJkFHtwoEVqon/JArQ) 
-A tap101i1-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK 
-A tap101i1-OUT -m mac ! --mac-source CA:24:FC:72:CE:EC -j DROP 
-A tap101i1-OUT -j MARK --set-mark 0 
-A tap101i1-OUT -g PVEFW-SET-ACCEPT-MARK 
…… 




why for tap101i0-IN have no this rule: 
……. 
-A tap101i0-IN -m set --match-set PVEFW-0-testnet src -j ACCEPT 
……. 


#this vm conf: 

balloon: 2048 
bootdisk: virtio0 
cores: 4 
cpuunits: 10000 
hotplug: 1 
memory: 4096 
name: test2 
net0: virtio=76:A4:04:1D:4F:BE,bridge=vmbr1,tag=40,firewall=1 
net1: virtio=CA:24:FC:72:CE:EC,bridge=vmbr1,tag=3009,firewall=1 
onboot: 0 
ostype: l26 
sockets: 1 
virtio0: c051401:vm-101-disk-1,size=32G 


I have tested it a few times(disable firewall for net0 and reenable firewall for net0,and shutdown this vm ,also the same wrong.) 
bug for the second vm rule is correct: 
…... 

exists tap103i0-IN (qR3fhxLpBwau+mwYpGORriUkchU) 
-A tap103i0-IN -p udp --dport 68 --sport 67 -j ACCEPT 
-A tap103i0-IN -m set --match-set PVEFW-0-testnet src -j ACCEPT 
-A tap103i0-IN -j PVEFW-Drop 
-A tap103i0-IN -j NFLOG --nflog-prefix ":103:7:tap103i0-IN: policy DROP: " 
-A tap103i0-IN -j DROP 
exists tap103i0-OUT (gjMtlzzvQKkF68JPWemW8Qu2fJ8) 
-A tap103i0-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK 
-A tap103i0-OUT -m mac ! --mac-source CE:60:6C:FB:81:4F -j DROP 
-A tap103i0-OUT -j MARK --set-mark 0 
-A tap103i0-OUT -g PVEFW-SET-ACCEPT-MARK 
exists tap103i1-IN (68gAcGFOIN2RENZVA38EeZlG8tQ) 
-A tap103i1-IN -p udp --dport 68 --sport 67 -j ACCEPT 
-A tap103i1-IN -m set --match-set PVEFW-0-testnet src -j ACCEPT 
-A tap103i1-IN -j PVEFW-Drop 
-A tap103i1-IN -j NFLOG --nflog-prefix ":103:7:tap103i1-IN: policy DROP: " 
-A tap103i1-IN -j DROP 
exists tap103i1-OUT (FeGjbt3klifLfGifM/M1okkEWAQ) 
-A tap103i1-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK 
-A tap103i1-OUT -m mac ! --mac-source 9E:1B:EB:D9:25:91 -j DROP 
-A tap103i1-OUT -j MARK --set-mark 0 
-A tap103i1-OUT -g PVEFW-SET-ACCEPT-MARK 
…... 


there, if i use ping from 103i0 to 101i0, get error: Request timed out 


where are something wrong for me? 


thanks you!

More information about the pve-user mailing list