>>OK. But maybe we can allow normal rules also? yes sure >>And use the existing format (pve-firewall/example/100.fw): no problem.
>>We use an extra file to store Security Grougs: /etc/pve/firewall/groups.fw >> >>----------groups.fw-example----------- >> >>[IN:<groupname>:<pool>] >> >>SSH(ACCEPT) net0 192.168.2.192 - >> >>[OUT:<groupname>:<pool>] >> >>... ><------------------- >> >>So we can store 'global' groups (no pool specified) an pool related groups. >>I am sure we find a way to handle permissions for that. ok,let's go like this. >>I think this should be exactly the same as the firewall tab on the VM. >>You just edit the rules for a 'security group' instead of VM specific rules. Yes,sound good. >>I am not sure if you are aware of all iptables restrictions for bridge ports >>(physdev match). >>For a short intro read: http://www.shorewall.net/bridge-Shorewall-perl.html >>But I have no idea if you hit that problem at all. Yes,I see that. (not sure to understand the problem) Currently I have tested with firewall 1 bridge port/ tap only. And I don't have any problem to communicate with others ports (mac address rules), or with external network(rules by ip). I'll do tests with 2 firewalled ports. ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Mercredi 22 Janvier 2014 07:10:39 Objet: RE: [pve-devel] RFC : iptables implementation > >>How would you present that to the user (how would you design a GUI for > that)? > I see 2 parts: > > 1 firewall tab on the vm > in this tab, we can associate security groups for incoming rules and outgoing > rules by network interface > > [INCOMING RULES] > net0 security1 > net0 security2 > > [OUTGOING RULES] > net1 security3 > ..... OK. But maybe we can allow normal rules also? And use the existing format (pve-firewall/example/100.fw): ------------------ [GROUPS] security1 security2 [IN] SSH(ACCEPT) net0 192.168.2.192 - [OUT] DNS(ACCEPT) net0 ------------------ > maybe some special checkbox to enable anti-spoofing rule > > > 1 new tab/form to manage rules/security groups. > I would like to be able to use sames rules on differents vm, so I don't known > where to put this form ? > In the datacenter ? yes > I think this rules should be shared inside a pool. (PVEPool permissions to > manage theses rules ?) > What do you think ? We use an extra file to store Security Grougs: /etc/pve/firewall/groups.fw ----------groups.fw-example----------- [IN:<groupname>:<pool>] SSH(ACCEPT) net0 192.168.2.192 - [OUT:<groupname>:<pool>] ... -------------------- So we can store 'global' groups (no pool specified) an pool related groups. I am sure we find a way to handle permissions for that. > in this tab, we can edit rules with > > source : ip / iprange / mac (or vmid-netX, and we translate it to macaddress > later) / other security group > destination : ip / iprange / mac (or vmid-netX, and we translate it to > macaddress > later) / other security group > source port : port, portlist(1,2,3) , port range > destination port : portnum, portlist(1,2,3) / port range / port from > /etc/services > protocol : tcp/udp/... > action : ACCEPT/DROP > > Maybe add some "macros/wizard", for procotol like dhcp : -p udp --dport 67:68 > --sport 67:68 or icmp (-p icmp --icmp-type 0, -p icmp --icmp-type 8) I think this should be exactly the same as the firewall tab on the VM. You just edit the rules for a 'security group' instead of VM specific rules. > >>What configuration files do we need for that (syntax)? > > 1 config file by vm (we can reuse /etc/pve/firewall/VMID.fw > > [IN] > net0 security1 > net0 security2 > [OUT] > net1 security3 > > we can use inotify to regenerate interface chains on each proxmox host > > > 1 config file for security group. (or 1 file by pool? don't known) One file is enough (see above /etc/pve/firewall/groups.fw) > [SECURITY1] > src=xxx dst=xxx sport=xxx dport=xxx proto=xxx action=xxx > > [SECURITY] > src=xxx dst=xxx sport=xxx dport=xxx proto=xxx action=xxx > > > > >>And can we easily implement that with OVS (stateless)? > Really, I really don't known for the moment. But it could be possible to > implemented it later,as config files are simple. > > Another possibility, is to do like openstack with "hybrid mode". > You have a central ovs (manage vlan, netflow,...), then 1 bridge for each tap > interface plugged to ovs. > Like this it's possible to manage iptable rules on theses bridge. I am not sure if you are aware of all iptables restrictions for bridge ports (physdev match). For a short intro read: http://www.shorewall.net/bridge-Shorewall-perl.html But I have no idea if you hit that problem at all. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
