hi,all
follow this wiki: http://pve.proxmox.com/wiki/Proxmox_VE_Firewall
to set ipfilter for a vm,
…...
[IPSET ipfilter-net0] # only allow specified IPs on net0
192.168.2.10
……
……
exists PVEFW-100-ipfilter-net0-v4 (6/YhjSitJrLDzL68TOZLZTTyrdw)
create PVEFW-100-ipfilter-net0-v4 hash:net family inet hashsize 64
maxelem 64
add PVEFW-100-ipfilter-net0-v4 192.168.2.10
…...
……
exists tap100i0-IN (ZLbqszyZjHTbgigwssl+aZm4ogU)
-A tap100i0-IN -p udp --dport 68 --sport 67 -j ACCEPT
-A tap100i0-IN -m set --match-set PVEFW-0-vcloud-v4 src -j ACCEPT
-A tap100i0-IN -j PVEFW-Drop
-A tap100i0-IN -j NFLOG --nflog-prefix ":100:7:tap100i0-IN: policy
DROP: "
-A tap100i0-IN -j DROP
exists tap100i0-OUT (JwDnqsG9n2fnt8RZFCGMMl+rD90)
-A tap100i0-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m mac ! --mac-source 86:E2:F4:1C:9D:31 -j DROP
-A tap100i0-OUT -m set ! --match-set PVEFW-100-ipfilter-net0-v4 src -j
DROP
-A tap100i0-OUT -j MARK --set-mark 0
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
……
puzzleing to me:
from tap100i0-OUT to outside is DROP ?
from outside to tap100i0-IN is still ACCEPT ?
Thanks!
lyt_yudi
[email protected]
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ pve-user mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
