Does anybody know?
On 03/18/2013 04:47 PM, Oriol Martí wrote:
Hi Ben,
first of all, thank you for your reply,
maybe I'm wrong but I think this is not correct, I want my VM can send
traffic to everywhere, this is permitted with my last rules, but the
problem is caused because all incoming traffic is filtered (but 22 and
80 ports) and then the returning traffic is filtered too, maybe the
port on my VM that has started the connection is the 54667, for
example, this is a decision made by the Operating System.
My solution I think it would be to detect if the incoming traffic is
the returning from an started connection by the VM or it comes
directly from internet.
As you say, I tried to open the tp_src port 80 and my VM can do wget
for http websites in port 80, but can't do outgoing connections to
other ports...
Thank you.
On 03/18/2013 03:58 PM, Ben Pfaff wrote:
You could enable the same set of ports in the other direction, but as
source ports.
On Mon, Mar 18, 2013 at 02:51:50PM +0100, Oriol Mart? wrote:
Does anybody know?
On 03/14/2013 09:42 PM, Oriol Marti wrote:
Hello, I'm searching for a solution to allow the returning traffic
for a VM when
all the ports, or most of them are filtered.
I'm filtering with ovs-ofctl with masks, for example for a given VM
if I want to
allow only port 80 and 22 incoming i execute:
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x1/0xffff,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x2/0xfffe,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x4/0xfffc,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x8/0xfff8,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x10/0xfffc,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x14/0xfffe,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x17/0xffff,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x18/0xfff8,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x20/0xffe0,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x40/0xfff0,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x51/0xffff,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x52/0xfffe,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x54/0xfffc,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x58/0xfff8,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x60/0xffe0,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x80/0xff80,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x100/0xff00,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x200/0xfe00,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x400/0xfc00,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x800/0xf800,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x1000/0xf000,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x2000/0xe000,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x4000/0xc000,actions=drop
ovs-ofctl add-flow bridge
tcp,dl_dst=mac,tp_dst=0x8000/0x8000,actions=drop
But with all the incoming ports filtered I've seen that the
returning traffic
when I'm doing for example a wget from the VM is filtered too, this
is caused
because the connection is made in a random port in the VM starting the
connection and when it returns is filtered. I don't know if there
is something
like the ESTABLISHED in iptables to detect the established traffic.
Maybe there is a flag in the returning packets that I can check
with the rules
in ovs-ofctl?
Does anybody know a solution for this scenario?
Cheers,
_______________________________________________
discuss mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/discuss
_______________________________________________
discuss mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/discuss
--
......................................................................
__
/ / Oriol Martí Bonvehí
C E / S / C A Administrador de Sistemes
/_/ Centre de Supercomputació de Catalunya
Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona
T. 93 551 6212 · F. 93 205 6979 · [email protected]
......................................................................
_______________________________________________
discuss mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/discuss
