X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=README;h=c1c2518e0603166a02c4d838c3bceeff0d8324d6;hp=0d90df5b54f10cd38cbc11895744296fc7479126;hb=b21aca2c22c5be52866043fcaf9662ca5f3f2da6;hpb=b486ed3b930807586eb1038c60682d5e8a8637f8

diff --git a/README b/README
index 0d90df5..c1c2518 100644
--- a/README
+++ b/README
@@ -114,18 +114,30 @@ Zone $ZVMBR0VM100 contains all network interfaces from VM100.
 
 Zone $ZVMBR0EXT contains all physical network interfaces. We consider this zone to be the external world.
 
-FIXME: The following is not clear - how do we handle traffic from 
-other VM?
-
 A shorewall rule for inbound traffic looks like this:
 
- SSH(ACCEPT)     $ZVMBR0EXT       $ZVMBR0VM100:tap100i0 
+ SSH(ACCEPT)     all       $ZVMBR0VM100:tap100i0 
 
 Outbound rules looks like:
 
  SSH(ACCEPT)     $ZVMBR0VM100:tap100i0          all
 
 
+Problems
+===================
+
+Inbound rules with source IP does not work, because shorewall
+does not allow rules like:
+
+ SSH(ACCEPT)     all:IP_ADDRESS       $ZVMBR0VM100:tap100i0
+
+As workaroud, we create one rule for each BP zone on the same
+bridge:
+
+ SSH(ACCEPT)     $ZVMBR0:IP_ADDRESS       $ZVMBR0VM100:tap100i0
+ SSH(ACCEPT)     $ZVMBR0VM777:IP_ADDRESS  $ZVMBR0VM100:tap100i0
+ SSH(ACCEPT)     $ZVMBR0EXT:IP_ADDRESS    $ZVMBR0VM100:tap100i0
+