Proxmox/pve-firewall
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-02-09 13:57:30 +03:00
Code Releases Activity

add standard rules after user rules

Browse Source 
Ao that the users can overwrite behavior.
This commit is contained in:
Dietmar Maurer 2014-05-20 06:12:55 +02:00
parent 8b6348df48
commit 3bc79f879d
1 changed files with 25 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
src/PVE/Firewall.pm
View File

@ -1684,20 +1684,6 @@ sub enable_host_firewall {
ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
ruleset_chain_add_input_filters($ruleset, $chain, $options, $cluster_conf, $loglevel);
my $clusternet = get_cluster_network();
if ($clusternet) {
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j ACCEPT"); # PVE API
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j ACCEPT"); # PVE VNC Console
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j ACCEPT"); # SPICE Proxy
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j ACCEPT"); # SSH
# corosync
my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"
ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
}
# we use RETURN because we need to check also tap rules
my $accept_action = 'RETURN';
@ -1712,6 +1698,21 @@ sub enable_host_firewall {
}
delete $rule->{iface_in};
}
my $clusternet = get_cluster_network();
# allow standard traffic on cluster network
if ($clusternet) {
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j ACCEPT"); # PVE API
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j ACCEPT"); # PVE VNC Console
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j ACCEPT"); # SPICE Proxy
ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j ACCEPT"); # SSH
# corosync
my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT"
ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
}
# implement input policy
my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default
@ -1727,12 +1728,6 @@ sub enable_host_firewall {
ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
if ($clusternet) {
my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT";
ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
}
# we use RETURN because we may want to check other thigs later
$accept_action = 'RETURN';
@ -1748,6 +1743,16 @@ sub enable_host_firewall {
delete $rule->{iface_out};
}
# allow standard traffic on cluster network
if ($clusternet) {
ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 8006 -j ACCEPT"); # PVE API
ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 22 -j ACCEPT"); # SSH
my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j ACCEPT";
ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
}
# implement output policy
$policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);