Thanks a lot Cody! I will implement the range based blocks then, should be good enough. :)
in regards to the lx branded issue, yes the two zones are on the same SmartOS node (running a single node as a home server). Any steps to debug this? # uname -a SunOS 0c-c4-7a-69-03-66 5.11 joyent_20160721T174418Z i86pc i386 i86pc Eric On 2016 August28 at 22:19:27, Cody Mello ([email protected]) wrote: Hi Eric, On Sun, Aug 28, 2016 at 2:50 AM, Eric Ripa <[email protected]> wrote: > 1) By default outgoing traffic is allowed. It seems like I need to explicitly block every port/protocol if I want to block outgoing traffic. Is it somehow possible to block all outgoing traffic with exceptions (and possibly being statefull)? There's no way to say "block everything, except for what these additional rules allow", currently. What you can do though is make use of port ranges to block several different ranges. So, for example: FROM vm <uuid> TO any BLOCK ports 1-79, 81-442, 444-65535 Would allow outbound connections to ports 80 and 443. > 2) Are fwadm rules supposed to work for lx branded zones? I cannot seem to get them working, they get added and are enabled. But the rules are not applied, see below. (the 722b…. zone is a SmartOS zone where rules are working) > > > # fwadm list > UUID ENABLED RULE > 692b5409-3616-4f68-b140-7fc2af6b1884 true FROM vm 722b3073-e771-6217-cc5d-a30f4fdd7ff3 TO vm 23d8f7a0-6451-623c-dc9a-b5e46314f7ed ALLOW tcp PORT 8080 > > # fwadm vms 692b5409-3616-4f68-b140-7fc2af6b1884 > 23d8f7a0-6451-623c-dc9a-b5e46314f7ed Is the vm 722b3073-e771-6217-cc5d-a30f4fdd7ff3 on the same SmartOS box? If it isn't, then fwadm won't know what addresses to use to generate the rule. - Cody ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
