>>Note: we only jump to group if source == 1.2.3.4? >>Do we want such functionality?
Can be usefull to do something like this for example vm1.FW GROUP-group1 net0 - - 80 - - vm2.FW GROUP-group1 net0 - - 22 - - and [GROUP1] ACCEPT 10.0.0.1 - - - - ACCEPT 10.0.0.2 - - - - ACCEPT 10.0.0.3 - - - - >>[OUT] >> >>GROUP-group1 net3 >>GROUP-group2 net0 >> >>Note: Usage of 'net3' instead of 'net0' is a typo? Or do we want to allow >>that? >> I would like to be able to setup different security group for each interface. (I can have a vm with a lan interface and san/nfs interface for example, with differents rules) >>We could avoid all those problems by introducing a [GROUPS] section: >> >>--100.fw- >>[GROUPS] >>group1 net0 >>group2 net0 >> >>[IN] >> >>[OUT] >> >>----- >> >>what do you think? mmm,I don't known, because like this we can't specify group rules order vs tap rules order. If by example, I have a group rule with a DROP, and a tap rules with ACCEPT, and I want the group rule tested before the tap rule. or reverse, I have a tap rule with DROP and a group rule with ACCEPT, and I want the tap rule tested before the group rule ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER (aderum...@odiso.com)" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com Envoyé: Jeudi 27 Février 2014 11:32:39 Objet: pvefw security group questions I still have problems with the security group design, for example: --100.fw- [IN] GROUP-group1 net0 GROUP-group2 net0 [OUT] GROUP-group2 net0 GROUP-group1 net0 ----- Note: group order is different between IN and OUT --100.fw- [IN] GROUP-group1 net0 1.2.3.4 ----- Note: we only jump to group if source == 1.2.3.4? Do we want such functionality? another example: --100.fw- [IN] GROUP-group1 net0 GROUP-group2 net0 [OUT] GROUP-group1 net3 GROUP-group2 net0 ----- Note: Usage of 'net3' instead of 'net0' is a typo? Or do we want to allow that? We could avoid all those problems by introducing a [GROUPS] section: --100.fw- [GROUPS] group1 net0 group2 net0 [IN] [OUT] ----- what do you think? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
