>>So that DROP is simply skipped when you use: >> >>vm1.FW >>GROUP-group1 net0 - - 80 - - >> >>That looks quite strange to me?
Yes, Indeed, this can be tricky.... Alternatively, for this kind of setup with rules with group rules with ip, maybe can we implemented ipset ? This allow to create group/alias of ips or ports, and it's faster (hashtable) ipset -N groupip iphash --probes 8 ipset -A groupip 10.0.0.1 ipset -A groupip 10.0.0.2 ipset -A groupip 10.0.0.3 iptables -A tapchain -dport 80 -m set --set groupip src -j ACCEPT iptables -A tapchain -dport 22 -m set --set groupip src -j ACCEPT It's faster, and maybe avoid confusion ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com Envoyé: Jeudi 27 Février 2014 16:04:25 Objet: RE: pvefw security group questions > Can be usefull to do something like this for example > > vm1.FW > GROUP-group1 net0 - - 80 - - > > > vm2.FW > GROUP-group1 net0 - - 22 - - > > > and > [GROUP1] > > ACCEPT 10.0.0.1 - - - - > ACCEPT 10.0.0.2 - - - - > ACCEPT 10.0.0.3 - - - - I thought a security groupd would also defined thing which should be blocked, for example: [GROUP1] ACCEPT 10.0.0.1 - - - - ACCEPT 10.0.0.2 - - - - ACCEPT 10.0.0.3 - - - - DROP - - udp - So that DROP is simply skipped when you use: vm1.FW GROUP-group1 net0 - - 80 - - That looks quite strange to me? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
