Re: [pve-devel] firewall option nosmurfs and tcpflags

Alexandre DERUMIER Fri, 18 Apr 2014 06:35:36 -0700

>>but that only works if the optimize flag is set (else we do not have that 
>>rule)?


I wanted to say something like:

    ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate 
INVALID,NEW -j PVEFW-smurfs") if $hostfw_options->{nosmurfs};
    ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-p tcp -j PVEFW-tcpflags") 
if $hostfw_options->{tcpflags};

    if($hostfw_options->{optimize}){

        my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : 
"ACCEPT";
        ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate 
RELATED,ESTABLISHED -j $accept");
        ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate 
INVALID -j DROP");
    }


----- Mail original ----- 

De: "Dietmar Maurer" <diet...@proxmox.com> 
À: "Alexandre DERUMIER" <aderum...@odiso.com> 
Cc: pve-devel@pve.proxmox.com 
Envoyé: Vendredi 18 Avril 2014 10:30:28 
Objet: RE: firewall option nosmurfs and tcpflags 

> just put the rule in PVEFW-FORWARD, after 
> 
> -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP -A PVEFW- 
> FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] firewall option nosmurfs and tcpflags

Reply via email to