Hi Alexandre, first, my plan is to rename 'groups.fw' to 'cluster.fw'. That new file can also include a cluster wide 'rules' section, and we can add further sections if needed.
> So, this avoid to parse all taps rules to finally drop (which can be cpu > heavy, as > the connection is never established, and each packet need to be dropped, > again and again) That is the purpose of the firewall. > also maybe adding a list of authorized ports (in case of global ports scan > attack, or if superadmin want to allowed only specific ports) > > > What do you think about it ? That looks very specific, and not a general purpose setup. Maybe we simply define 2 ipsets named 'Blacklist' and 'Whitelist'? > (BTW, I'm working on ipset feature, I'll send patches after ips will be > finished) Great. I am working on the API/GUI. _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
