]> git.proxmox.com Git - pve-firewall.git/commitdiff
projects / pve-firewall.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b486ed3)
describe the problem
authorDietmar Maurer <dietmar@proxmox.com>
Fri, 10 Aug 2012 11:15:25 +0000 (13:15 +0200)
committerDietmar Maurer <dietmar@proxmox.com>
Fri, 10 Aug 2012 11:15:25 +0000 (13:15 +0200)
PVE/Firewall.pm patch | blob | blame | history
README patch | blob | blame | history

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 8eb277cd661f26a088321dc111c2c40381e94c12..3f0adf0cb531d0314a97135f5b3fceef79d7cf79 100644 (file)
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -48,8 +48,10 @@ my $generate_input_rule = sub {
        my $bridge_ext_zone = $zoneinfo->{$bridge_zone}->{bridge_ext_zone} || die "internal error";
        my $zoneref = $zoneinfo->{$bridge_ext_zone}->{zoneref} || die "internal error";
        if (!$rule->{source}) {
        my $bridge_ext_zone = $zoneinfo->{$bridge_zone}->{bridge_ext_zone} || die "internal error";
        my $zoneref = $zoneinfo->{$bridge_ext_zone}->{zoneref} || die "internal error";
        if (!$rule->{source}) {
-           $source = "${zoneref}";
+           # $source = "${zoneref}";
+           $source = 'all';
        } else {
        } else {
+           # 'all' does not work
            $source = "${zoneref}:$rule->{source}";
        }
     } else {
            $source = "${zoneref}:$rule->{source}";
        }
     } else {
diff --git a/README b/README
index 0d90df5b54f10cd38cbc11895744296fc7479126..e6f447adf877aaf706653266fdff39fa311a7eba 100644 (file)
--- a/README
+++ b/README
@@ -114,18 +114,27 @@ Zone $ZVMBR0VM100 contains all network interfaces from VM100.
 
 Zone $ZVMBR0EXT contains all physical network interfaces. We consider this zone to be the external world.
 
 
 Zone $ZVMBR0EXT contains all physical network interfaces. We consider this zone to be the external world.
 
-FIXME: The following is not clear - how do we handle traffic from 
-other VM?
-
 A shorewall rule for inbound traffic looks like this:
 
 A shorewall rule for inbound traffic looks like this:
 
- SSH(ACCEPT)     $ZVMBR0EXT       $ZVMBR0VM100:tap100i0 
+ SSH(ACCEPT)     all       $ZVMBR0VM100:tap100i0 
 
 Outbound rules looks like:
 
  SSH(ACCEPT)     $ZVMBR0VM100:tap100i0          all
 
 
 
 Outbound rules looks like:
 
  SSH(ACCEPT)     $ZVMBR0VM100:tap100i0          all
 
 
+Unresolved problems
+===================
+
+Inbound rules with source IP does not work, because shorewall
+does not allow rules like:
+
+ SSH(ACCEPT)     all:IP_ADDRESS       $ZVMBR0VM100:tap100i0
+
+As workaroud, we can create such rule for each BP zone:
+
+ SSH(ACCEPT)     $ZVMBR0EXT:IP_ADDRESS       $ZVMBR0VM100:tap100i0
+
 
 
 
 
 
 
Firewall test scripts