> On February 17, 2015 at 4:26 AM lyt_yudi <[email protected]> wrote: > > > hi,all > > follow this wiki: http://pve.proxmox.com/wiki/Proxmox_VE_Firewall > to set ipfilter for a vm, > > …... > [IPSET ipfilter-net0] # only allow specified IPs on net0 > > 192.168.2.10 > …… > > …… > exists PVEFW-100-ipfilter-net0-v4 (6/YhjSitJrLDzL68TOZLZTTyrdw) > create PVEFW-100-ipfilter-net0-v4 hash:net family inet hashsize 64 > maxelem 64 > add PVEFW-100-ipfilter-net0-v4 192.168.2.10 > …... > > …… > exists tap100i0-IN (ZLbqszyZjHTbgigwssl+aZm4ogU) > -A tap100i0-IN -p udp --dport 68 --sport 67 -j ACCEPT > -A tap100i0-IN -m set --match-set PVEFW-0-vcloud-v4 src -j ACCEPT > -A tap100i0-IN -j PVEFW-Drop > -A tap100i0-IN -j NFLOG --nflog-prefix ":100:7:tap100i0-IN: policy > DROP: " > -A tap100i0-IN -j DROP > exists tap100i0-OUT (JwDnqsG9n2fnt8RZFCGMMl+rD90) > -A tap100i0-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK > -A tap100i0-OUT -m mac ! --mac-source 86:E2:F4:1C:9D:31 -j DROP > -A tap100i0-OUT -m set ! --match-set PVEFW-100-ipfilter-net0-v4 src -j > DROP > -A tap100i0-OUT -j MARK --set-mark 0 > -A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK > …… > > puzzleing to me: > > from tap100i0-OUT to outside is DROP ?
Not, it is "! --match-set PVEFW-100-ipfilter-net0-v4" Note: Notice the '!' (drop everything not matching) > from outside to tap100i0-IN is still ACCEPT ? Yes, we only filter output so far. It is unclear to me if we gain much when filter input also (would be easy to implement). _______________________________________________ pve-user mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
