Hello Dietmar, I'm using the a network configuration based on http://help.ovh.co.uk/Proxmox (need to use SNAT or MASQUERADING, and ip_forwarding is turned on).
I'll check also the GROUP option and the regression tests. Regards, Flav 2015-05-11 6:22 GMT+02:00 Dietmar Maurer <diet...@proxmox.com>: >> How do are you doing that? Creating a group didn't adds anything in >> FORWARD chain. And linux netfilter is forwarding all packets from one >> bridge to the other (I am using the host as a "router" for the >> bridges). > > The idea is to create a group with all rules you want to apply, for example: > > # cat /etc/pve/firewall/cluster.fw > [group group1] > IN ACCEPT -dest 10.1.1.0/24 -p tcp -dport 80 > > Then you can use this group for all VMs on vmbr1: > > # cat /etc/pve/firewall/100.fw > [RULES] > GROUP group1 > > The disadvantage is that you need to configure that group rule > for each VM. Some time ago there was an idea to add mandatory > groups, so that all VMs automatically apply rules from those groups. > > Or is there another reason you want to use the 'FORWARD' chain? > >> 2015-05-10 17:04 GMT+02:00 Dietmar Maurer <diet...@proxmox.com>: >> >> *guests in vmbr1 are allowed to receive external traffic only on port 80 >> >> *guests in vmbr2 are allowed only to receive only traffic on mysql >> >> port from 10.1.1.0/24 >> >> >> >> set FORWARDING policy to REJECT or DROP >> >> add rules: >> >> * chain FORWARD from any to 10.1.1.0/24 port tcp/80 accept >> >> * chain FORWARD from 10.1.1.0/25 to 10.1.2.0/24 port tcp/3306 accept >> > >> > Why don't you use a security group for that? >> > >> > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel