Zone $ZVMBR0EXT contains all physical network interfaces. We consider this zone to be the external world.
-FIXME: The following is not clear - how do we handle traffic from
-other VM?
-
A shorewall rule for inbound traffic looks like this:
- SSH(ACCEPT) $ZVMBR0EXT $ZVMBR0VM100:tap100i0
+ SSH(ACCEPT) all $ZVMBR0VM100:tap100i0
Outbound rules looks like:
SSH(ACCEPT) $ZVMBR0VM100:tap100i0 all
+Problems
+===================
+
+Inbound rules with source IP does not work, because shorewall
+does not allow rules like:
+
+ SSH(ACCEPT) all:IP_ADDRESS $ZVMBR0VM100:tap100i0
+
+As workaroud, we create one rule for each BP zone on the same
+bridge:
+
+ SSH(ACCEPT) $ZVMBR0:IP_ADDRESS $ZVMBR0VM100:tap100i0
+ SSH(ACCEPT) $ZVMBR0VM777:IP_ADDRESS $ZVMBR0VM100:tap100i0
+ SSH(ACCEPT) $ZVMBR0EXT:IP_ADDRESS $ZVMBR0VM100:tap100i0
+