>>Yes, but you can also apply it for a single direction (only IN, only OUT)??
Yes, because I defined them explicitly IN or OUT [IN:security1] >> GROUP-security1-IN ACCEPT - - - icmp - - [OUT:security1] >> GROUP-security1-OUT ACCEPT - - - ssh - - > vmid.fw > [IN] > GROUP-security1 net0 - - - - - >> this apply GROUP-security1-IN > > [OUT] > GROUP-security1 net0 - - - - - >> this apply GROUP-security1-OUT this give use -A GROUP-security1-IN -p icmp -j ACCEPT -A GROUP-security1-OUT -p ssh -j BRIDGEFW-IN -A tapxi0-OUT -j GROUP-security1-OUT -A tapxi0-IN -j GROUP-security1-IN if you try to apply this -A tap1i0-OUT -j GROUP-security1-IN this is bad, because if you need to firewall tap1i0-OUT -> tap2-IN, it'll do an ACCEPT in group chain, and bypass tap2 inbound rules. ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Mardi 18 Février 2014 16:10:32 Objet: RE: pvefw security group question > Currently you can apply the security group in both direction > > vmid.fw > [IN] > GROUP-security1 net0 - - - - - > > [OUT] > GROUP-security1 net0 - - - - - > > > but in vmid.fw, I only specify the GROUP name. Yes, but you can also apply it for a single direction (only IN, only OUT)?? > But in firewall.pm, I force $group.'-IN' or $group-'OUT. > to be sure that a wrong group-in is not in tap-out for example. > > Note, I have send a small fix yesterday on the mailing, " > @@ -430,7 +430,7 @@ sub generate_group_rules { > # we go the BRIDGEFW-IN because we need to check also other tap > rules > # (and group rules can be set on any bridge, so we can't go to > VMBRXX-IN) > $rule->{action} = 'BRIDGEFW-IN' if $rule->{action} eq 'ACCEPT'; > - ruleset_generate_rule($rule, $chain, $rule); > + ruleset_generate_rule($ruleset, $chain, $rule); > } > } > } > " > maybe this is because you can't apply the group rule in both direction ? OK, applied that. > >>Do you really want that (why)? > > We need to be carefull, because is GROUP-OUT we jump to BRIDGEFW-IN > instead ACCEPT. > > >>Or can we use an extra section for GROUPS, and always apply both > directions? > But we could defined > [GROUPS] > securityname1 net0 > > and generate GROUP-IN and GROUP-OUT from this rule. (only difference is - > j ACCEPT or -j BRIDGEFW-IN) No. I just want to apply GROUP-IN and GROUP-OUT. _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
