Re: [pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall
Hello Dietmar, I'm using the a network configuration based on http://help.ovh.co.uk/Proxmox (need to use SNAT or MASQUERADING, and ip_forwarding is turned on). I'll check also the GROUP option and the regression tests. Regards, Flav 2015-05-11 6:22 GMT+02:00 Dietmar Maurer diet...@proxmox.com: How do are you doing that? Creating a group didn't adds anything in FORWARD chain. And linux netfilter is forwarding all packets from one bridge to the other (I am using the host as a router for the bridges). The idea is to create a group with all rules you want to apply, for example: # cat /etc/pve/firewall/cluster.fw [group group1] IN ACCEPT -dest 10.1.1.0/24 -p tcp -dport 80 Then you can use this group for all VMs on vmbr1: # cat /etc/pve/firewall/100.fw [RULES] GROUP group1 The disadvantage is that you need to configure that group rule for each VM. Some time ago there was an idea to add mandatory groups, so that all VMs automatically apply rules from those groups. Or is there another reason you want to use the 'FORWARD' chain? 2015-05-10 17:04 GMT+02:00 Dietmar Maurer diet...@proxmox.com: *guests in vmbr1 are allowed to receive external traffic only on port 80 *guests in vmbr2 are allowed only to receive only traffic on mysql port from 10.1.1.0/24 set FORWARDING policy to REJECT or DROP add rules: * chain FORWARD from any to 10.1.1.0/24 port tcp/80 accept * chain FORWARD from 10.1.1.0/25 to 10.1.2.0/24 port tcp/3306 accept Why don't you use a security group for that? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall
How do are you doing that? Creating a group didn't adds anything in FORWARD chain. And linux netfilter is forwarding all packets from one bridge to the other (I am using the host as a router for the bridges). The idea is to create a group with all rules you want to apply, for example: # cat /etc/pve/firewall/cluster.fw [group group1] IN ACCEPT -dest 10.1.1.0/24 -p tcp -dport 80 Then you can use this group for all VMs on vmbr1: # cat /etc/pve/firewall/100.fw [RULES] GROUP group1 The disadvantage is that you need to configure that group rule for each VM. Some time ago there was an idea to add mandatory groups, so that all VMs automatically apply rules from those groups. Or is there another reason you want to use the 'FORWARD' chain? 2015-05-10 17:04 GMT+02:00 Dietmar Maurer diet...@proxmox.com: *guests in vmbr1 are allowed to receive external traffic only on port 80 *guests in vmbr2 are allowed only to receive only traffic on mysql port from 10.1.1.0/24 set FORWARDING policy to REJECT or DROP add rules: * chain FORWARD from any to 10.1.1.0/24 port tcp/80 accept * chain FORWARD from 10.1.1.0/25 to 10.1.2.0/24 port tcp/3306 accept Why don't you use a security group for that? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall
How do are you doing that? Creating a group didn't adds anything in FORWARD chain. And linux netfilter is forwarding all packets from one bridge to the other (I am using the host as a router for the bridges). 2015-05-10 17:04 GMT+02:00 Dietmar Maurer diet...@proxmox.com: *guests in vmbr1 are allowed to receive external traffic only on port 80 *guests in vmbr2 are allowed only to receive only traffic on mysql port from 10.1.1.0/24 set FORWARDING policy to REJECT or DROP add rules: * chain FORWARD from any to 10.1.1.0/24 port tcp/80 accept * chain FORWARD from 10.1.1.0/25 to 10.1.2.0/24 port tcp/3306 accept Why don't you use a security group for that? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall
Example: the host has several internal bridges: * vmbr0: x.x.x.x that contains eth0 * vmbr1: 10.1.1.0/24 : this bridge has the front VMs * vmbr2: 10.1.2.0/24 : this bridge has the back VMs vmbr1 and vmbr2 are not connected on an external switch I use kvm guests. *guests in vmbr1 are allowed to receive external traffic only on port 80 *guests in vmbr2 are allowed only to receive only traffic on mysql port from 10.1.1.0/24 set FORWARDING policy to REJECT or DROP add rules: * chain FORWARD from any to 10.1.1.0/24 port tcp/80 accept * chain FORWARD from 10.1.1.0/25 to 10.1.2.0/24 port tcp/3306 accept Also with my other patch (negate) you can add rule like: *allow servers in 10.1.1.0/24 to connect to external world on any port but not to internal networks: to do this you have to: *create ipset internal containing 10.1.1.0/24 and 10.1.2.0/24 *add rule chain FORWARD from any to ! internal accept On this patch you maybe would like to change where the new PVEFW-HOST-FORWARD is placed. Regards, Flav 2015-05-10 7:26 GMT+02:00 Dietmar Maurer diet...@proxmox.com: This is very usefull if someone wants to have gusts in different subnets (on different vlans) and add a firewall between the subnets. Why is it usefull? Please can you be more specific, maybe giving an example? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall
*guests in vmbr1 are allowed to receive external traffic only on port 80 *guests in vmbr2 are allowed only to receive only traffic on mysql port from 10.1.1.0/24 set FORWARDING policy to REJECT or DROP add rules: * chain FORWARD from any to 10.1.1.0/24 port tcp/80 accept * chain FORWARD from 10.1.1.0/25 to 10.1.2.0/24 port tcp/3306 accept Why don't you use a security group for that? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall
This is very usefull if someone wants to have gusts in different subnets (on different vlans) and add a firewall between the subnets. Why is it usefull? Please can you be more specific, maybe giving an example? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel