ok,I'll test last git, I think it should work. (But finally, you create GROUP-IN and GROUP-OUT rules ? I thinked you wanted common group rules)
----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Mercredi 19 Février 2014 08:03:57 Objet: RE: [pve-devel] pvefw security group question > Not sure, you do a goto PVE_SPECIAL_ACCEPT, so it's finished in > PVE_SPECIAL_ACCEPT. > > But how do you go in the in vmbrX-IN, to check destination inbound rules ? here is an example: ... create PVEFW-SET-ACCEPT-MARK (uGWkX9NXBZni/I1q1QPuKX6AX5w) -A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 1 create GROUP-group1-IN (ero56fv6+VERm+VzEg8tBYCeC3Q) -A GROUP-group1-IN -p tcp --dport 22 -j ACCEPT create GROUP-group1-OUT (ftsSscJQ0Ev+Oi9l72TJRxz5UjE) -A GROUP-group1-OUT -j MARK --set-mark 0 -A GROUP-group1-OUT -p tcp --dport 80 -g PVEFW-SET-ACCEPT-MARK update tap100i0-OUT (iXbuWZcc7VZC6uexpZjL4Nwg5uY) -A tap100i0-OUT -m state --state INVALID -j DROP -A tap100i0-OUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP -A tap100i0-OUT -j GROUP-group1-OUT -A tap100i0-OUT -m mark --mark 1 -j vmbr0-IN -A tap100i0-OUT -j LOG --log-prefix "tap100i0-OUT-dropped: " --log-level 4 -A tap100i0-OUT -j DROP _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
