>>We use '-j ACCEPT' at many places. Each of those calls will bypass the ips? >>So shouldn't we replace all occurrences of '-J ACCEPT'?
I only replace when connection is established for now, but I think we can replace the -J ACCEPT in tap-in chains without problem. and in vmbrX-FW chain too. ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre Derumier" <aderum...@odiso.com>, pve-devel@pve.proxmox.com Envoyé: Lundi 17 Mars 2014 13:02:54 Objet: RE: [pve-devel] [PATCH] add ips feature v2 We use '-j ACCEPT' at many places. Each of those calls will bypass the ips? So shouldn't we replace all occurrences of '-J ACCEPT'? > This add ips (like suricata) support through nfqueues. > > this create a new chain PVEFW-Accept > > -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j > PVEFW-Accept > -A PVEFW-Accept -m physdev --physdev-out tapxxx --physdev-is-bridged -j > NFQUEUE --queue-num 0 --queue-bypass > -A PVEFW-Accept -m physdev --physdev-out tapxxx --physdev-is-bridged -j > NFQUEUE --queue-num 0 --queue-bypass > -A PVEFW-Accept -j ACCEPT > > it's using --queue-bypass (only available in 3.10 kernel), so it's suricata > daemon is down, > packets are not dropped. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
