>>vmbr0(10.1.0.1/24) => VM1(10.1.0.2) >> >>vmbr1(10.2.0.1/24) => VM2(10.2.0.2) >> >>So traffic from VM1 to VM2 is enabled without firewall when you use gateway >>10.1.0.1
ah ok, I understand. But isn't it blocked by the INPUT rule on host ? (10.1.0.2->10.1.0.1) I'll do test today. If we really want to block host->tap, without known ip in guest, we could also only allow known authorized ips in output iptables -A -OUTPUT -d kvmhost1 -j ACCEPT iptables -A -OUTPUT -d kvmhost2 -j ACCEPT iptables -A -OUTPUT -d adminip -j ACCEPT iptables -j DROP ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Vendredi 24 Janvier 2014 08:57:06 Objet: RE: [pve-devel] RFC : iptables implementation > >>If you have several bridges with assigned IPs, traffic can be routed > >>from one VM to another VM on different bridge. This will bypass all your > firewall rules! > > Can you provide an network schema with guest and bridge ip address for this > example ? vmbr0(10.1.0.1/24) => VM1(10.1.0.2) vmbr1(10.2.0.1/24) => VM2(10.2.0.2) So traffic from VM1 to VM2 is enabled without firewall when you use gateway 10.1.0.1 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
