Example: the host has several internal bridges: * vmbr0: x.x.x.x that contains eth0 * vmbr1: 10.1.1.0/24 : this bridge has the "front" VMs * vmbr2: 10.1.2.0/24 : this bridge has the "back" VMs
vmbr1 and vmbr2 are not connected on an external switch I use kvm guests. *guests in vmbr1 are allowed to receive external traffic only on port 80 *guests in vmbr2 are allowed only to receive only traffic on mysql port from 10.1.1.0/24 set FORWARDING policy to REJECT or DROP add rules: * chain FORWARD from any to 10.1.1.0/24 port tcp/80 accept * chain FORWARD from 10.1.1.0/25 to 10.1.2.0/24 port tcp/3306 accept Also with my other patch (negate) you can add rule like: *allow servers in 10.1.1.0/24 to connect to external world on any port but not to internal networks: to do this you have to: *create ipset "internal" containing 10.1.1.0/24 and 10.1.2.0/24 *add rule chain FORWARD from any to ! "internal" accept On this patch you maybe would like to change where the new "PVEFW-HOST-FORWARD" is placed. Regards, Flav 2015-05-10 7:26 GMT+02:00 Dietmar Maurer <diet...@proxmox.com>: >> This is very usefull if someone wants to have gusts in different subnets (on >> different vlans) and add a firewall between the subnets. > > Why is it usefull? Please can you be more specific, maybe giving an example? > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel