>>That looks very specific, and not a general purpose setup. >>Maybe we simply define 2 ipsets named 'Blacklist' and 'Whitelist'?
Yes, I think it's ok like this ! ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]>, "pve-devel" <[email protected]> Envoyé: Mardi 25 Mars 2014 05:58:04 Objet: RE: [pve-devel] pve-firewall : datacenter drop/blacklist rules ? Hi Alexandre, first, my plan is to rename 'groups.fw' to 'cluster.fw'. That new file can also include a cluster wide 'rules' section, and we can add further sections if needed. > So, this avoid to parse all taps rules to finally drop (which can be cpu > heavy, as > the connection is never established, and each packet need to be dropped, > again and again) That is the purpose of the firewall. > also maybe adding a list of authorized ports (in case of global ports scan > attack, or if superadmin want to allowed only specific ports) > > > What do you think about it ? That looks very specific, and not a general purpose setup. Maybe we simply define 2 ipsets named 'Blacklist' and 'Whitelist'? > (BTW, I'm working on ipset feature, I'll send patches after ips will be > finished) Great. I am working on the API/GUI. _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
