> >>The problem is that all routed traffic from HOST to VM is allowed. So > >>a good test would be trying to block something. > > yes, but return packet (tap-->input) is blocked, so you can't established a > connection
> iptables -A INPUT -m physdev --physdev-in tap115i0 -j DROP > > or > > iptables -A INPUT -m mac --mac-source 32:36:8A:E1:B5:65 -j DROP That is the other direction? I talk about OUTPUT from HOST into VM > > host : 10.3.94.31 > guest : 10.3.94.201 > > #ping 10.3.94.201 > > host---->tap : allowed > Jan 24 06:49:18 kvmtest1 kernel: [318034.190051] ALLTRAFFICOUTPUT: IN= > OUT=vmbr1 SRC=10.3.94.31 DST=10.3.94.201 LEN=84 TOS=0x00 PREC=0x00 > TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7239 SEQ=21 exactly. What if I want to block that? If you have several bridges with assigned IPs, traffic can be routed from one VM to another VM on different bridge. This will bypass all your firewall rules! _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel