> ah ok, I understand. But isn't it blocked by the INPUT rule on host ? > (10.1.0.2- > >10.1.0.1) I'll do test today. > > > If we really want to block host->tap, without known ip in guest, we could also > only allow known authorized ips in output
We just need to be aware of that. I guess normally a user does not assign IPs to several bridges, so it is no problem by default. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
