From 8fb53d8ccf5b71e3352c33221fdecb9e97e1753c Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Fri, 10 Aug 2012 13:15:25 +0200
Subject: [PATCH] describe the problem

---
 PVE/Firewall.pm |  4 +++-
 README          | 17 +++++++++++++----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 8eb277c..3f0adf0 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -48,8 +48,10 @@ my $generate_input_rule = sub {
 	my $bridge_ext_zone = $zoneinfo->{$bridge_zone}->{bridge_ext_zone} || die "internal error";
 	my $zoneref = $zoneinfo->{$bridge_ext_zone}->{zoneref} || die "internal error";
 	if (!$rule->{source}) {
-	    $source = "${zoneref}";
+	    # $source = "${zoneref}";
+	    $source = 'all';
 	} else {
+	    # 'all' does not work
 	    $source = "${zoneref}:$rule->{source}";
 	}
     } else {
diff --git a/README b/README
index 0d90df5..e6f447a 100644
--- a/README
+++ b/README
@@ -114,18 +114,27 @@ Zone $ZVMBR0VM100 contains all network interfaces from VM100.
 
 Zone $ZVMBR0EXT contains all physical network interfaces. We consider this zone to be the external world.
 
-FIXME: The following is not clear - how do we handle traffic from 
-other VM?
-
 A shorewall rule for inbound traffic looks like this:
 
- SSH(ACCEPT)     $ZVMBR0EXT       $ZVMBR0VM100:tap100i0 
+ SSH(ACCEPT)     all       $ZVMBR0VM100:tap100i0 
 
 Outbound rules looks like:
 
  SSH(ACCEPT)     $ZVMBR0VM100:tap100i0          all
 
 
+Unresolved problems
+===================
+
+Inbound rules with source IP does not work, because shorewall
+does not allow rules like:
+
+ SSH(ACCEPT)     all:IP_ADDRESS       $ZVMBR0VM100:tap100i0
+
+As workaroud, we can create such rule for each BP zone:
+
+ SSH(ACCEPT)     $ZVMBR0EXT:IP_ADDRESS       $ZVMBR0VM100:tap100i0
+
 
 
 
-- 
2.39.2