Hi, I'm thinking about a feature:
adding a datacenter global drop/blacklist rules this could be useful in case of an attack,ddos... for example adding at the begin of PVE-FORWARD, a drop for matching ip (or maybe better, an ipset group "blacklist") So, this avoid to parse all taps rules to finally drop (which can be cpu heavy, as the connection is never established, and each packet need to be dropped, again and again) also maybe adding a list of authorized ports (in case of global ports scan attack, or if superadmin want to allowed only specific ports) What do you think about it ? (BTW, I'm working on ipset feature, I'll send patches after ips will be finished) _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
