Thanks, if filter both(input and output)!,It's will very useful for me. 发自我的 iPhone
> 在 2015年2月17日,13:09,Dietmar Maurer <[email protected]> 写道: > > > >> On February 17, 2015 at 4:26 AM lyt_yudi <[email protected]> wrote: >> >> >> hi,all >> >> follow this wiki: http://pve.proxmox.com/wiki/Proxmox_VE_Firewall >> to set ipfilter for a vm, >> >> …... >> [IPSET ipfilter-net0] # only allow specified IPs on net0 >> >> 192.168.2.10 >> …… >> >> …… >> exists PVEFW-100-ipfilter-net0-v4 (6/YhjSitJrLDzL68TOZLZTTyrdw) >> create PVEFW-100-ipfilter-net0-v4 hash:net family inet hashsize 64 >> maxelem 64 >> add PVEFW-100-ipfilter-net0-v4 192.168.2.10 >> …... >> >> …… >> exists tap100i0-IN (ZLbqszyZjHTbgigwssl+aZm4ogU) >> -A tap100i0-IN -p udp --dport 68 --sport 67 -j ACCEPT >> -A tap100i0-IN -m set --match-set PVEFW-0-vcloud-v4 src -j ACCEPT >> -A tap100i0-IN -j PVEFW-Drop >> -A tap100i0-IN -j NFLOG --nflog-prefix ":100:7:tap100i0-IN: policy >> DROP: " >> -A tap100i0-IN -j DROP >> exists tap100i0-OUT (JwDnqsG9n2fnt8RZFCGMMl+rD90) >> -A tap100i0-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK >> -A tap100i0-OUT -m mac ! --mac-source 86:E2:F4:1C:9D:31 -j DROP >> -A tap100i0-OUT -m set ! --match-set PVEFW-100-ipfilter-net0-v4 src -j >> DROP >> -A tap100i0-OUT -j MARK --set-mark 0 >> -A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK >> …… >> >> puzzleing to me: >> >> from tap100i0-OUT to outside is DROP ? > > Not, it is "! --match-set PVEFW-100-ipfilter-net0-v4" > > Note: Notice the '!' (drop everything not matching) > >> from outside to tap100i0-IN is still ACCEPT ? > > Yes, we only filter output so far. It is unclear to me if we gain much > when filter input also (would be easy to implement). > _______________________________________________ pve-user mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
