Re: [pve-devel] pvefw security group questions

Thu, 27 Feb 2014 23:11:22 -0800 

>>So you want to create one ipset for each rule? 
no

>>Or simply allow users 
>>to define groups of address, like:

yes :) Advantage could also to easy use this groupip, in group of rules.
I would like also to be able to share theses groupip between differents guests.

I could be great to have something like:

vm1 : group1

vm2: group2


group1 : allow ssh from ipgroup

group2 : allow http from ipgroup




>>
>>----1000.fw---
>>[IPSET:groupip]
>>
>>10.0.0.1 # first server IP
>>10.0.0.2 # second server IP
>>10.0.0.3 # third server IP
>>00:15:17:f8:c3:e5 # a MAC address?

ipset can manage ip-mac groups (need both).
But I'm not sure using mac is a good idea, because you can only do iptables 
rules with source mac, and not destination mac


>>what about ports?
yes, it's also possible de do port groups
all type of hash group that ipset support : 
http://ipset.netfilter.org/features.html

shorewall also support ipsets : http://shorewall.net/ipsets.html


----- Mail original ----- 

De: "Dietmar Maurer" <diet...@proxmox.com> 
À: "Alexandre DERUMIER" <aderum...@odiso.com> 
Cc: pve-devel@pve.proxmox.com 
Envoyé: Vendredi 28 Février 2014 07:48:46 
Objet: RE: pvefw security group questions 

> Yes, Indeed, this can be tricky.... 
> 
> Alternatively, for this kind of setup with rules with group rules with ip, 
> maybe can we implemented ipset ? 

never used that so far. 

> This allow to create group/alias of ips or ports, and it's faster (hashtable) 
> ipset 
> -N groupip iphash --probes 8 ipset -A groupip 10.0.0.1 ipset -A groupip 
> 10.0.0.2 ipset -A groupip 10.0.0.3 
> 
> iptables -A tapchain -dport 80 -m set --set groupip src -j ACCEPT iptables -A 
> tapchain -dport 22 -m set --set groupip src -j ACCEPT 
> 
> It's faster, 

So you want to create one ipset for each rule? Or simply allow users 
to define groups of address, like: 

----1000.fw--- 
[IPSET:groupip] 

10.0.0.1 # first server IP 
10.0.0.2 # second server IP 
10.0.0.3 # third server IP 
00:15:17:f8:c3:e5 # a MAC address? 
what about ports? 

... 

[IN] 

ACCEPT $groupip - tcp 22 
---------- 
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to