Ok, thanks. I'll read the shorewall doc a little more.
By the way, any reason to use shorewall instead iptables directly ? I'm reading openstack and cloustack firewall code, implementation is not too difficult ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com>, "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Lundi 20 Janvier 2014 07:22:33 Objet: RE: [pve-devel] pve-firewall questions > i'm begin to read pve-firewall README > https://git.proxmox.com/?p=pve- > firewall.git;a=blob;f=README;h=0d90df5b54f10cd38cbc11895744296fc7479126 > ;hb=b486ed3b930807586eb1038c60682d5e8a8637f8 > > About zones: > > >>We simply define one zone for each bridge/vm pair. > > > So, we need to define 1 zone by vm ? > > If yes, this seem strange. What I have in mind, is to define 1 zone for > multiple > vms, with no filtering inside the zone by default. > Then configure firewall rules between the differents zones. You normally want to setup a firewall for each VM - for example each customer want to have a firewall for his VMs. But we may also allow other groups like VM pools, or global rules. > If we need to defined rules, for each vm, one by one, I'll take a lot of > time, and > the number of rules will be very big. (and could lead to performance problem) > > Does I miss something ? It must be possible to define rules at different levels: - for any network interface in the VM - for each VM (sum of all network interfaces of a VM) - for a VM pool (list of VMs) - at global level (all VMs) _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
