* [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall
@ 2024-11-20 12:02 Aaron Lauterer
2024-11-20 12:02 ` [pve-devel] [PATCH docs 2/3] pvesdn: add note to port isolation to use firewall in clusters Aaron Lauterer
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Aaron Lauterer @ 2024-11-20 12:02 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
---
pvesdn.adoc | 1 +
1 file changed, 1 insertion(+)
diff --git a/pvesdn.adoc b/pvesdn.adoc
index 8bd004e..2e24dd2 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -707,6 +707,7 @@ For more information please consult the documentation of
xref:pvesdn_ipam_plugin_pveipam[the PVE IPAM plugin]. Changing DHCP leases is
currently not supported for the other IPAM plugins.
+[[pvesdn_firewall_integration]]
Firewall Integration
--------------------
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH docs 2/3] pvesdn: add note to port isolation to use firewall in clusters
2024-11-20 12:02 [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Aaron Lauterer
@ 2024-11-20 12:02 ` Aaron Lauterer
2024-11-20 15:57 ` [pve-devel] applied: " Thomas Lamprecht
2024-11-20 12:02 ` [pve-devel] [PATCH manager 3/3] ui: sdn firewall: add online help Aaron Lauterer
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Aaron Lauterer @ 2024-11-20 12:02 UTC (permalink / raw)
To: pve-devel
since port isolation is only local on the host. To get better port
isolation, the VNET firewall can be used.
Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
---
pvesdn.adoc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/pvesdn.adoc b/pvesdn.adoc
index 2e24dd2..1541e54 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -388,6 +388,10 @@ but not for the interface itself. This means guests can only send traffic to
non-isolated bridge-ports, which is the bridge itself. In order for this setting
to take effect, you need to restart the affected guest.
+NOTE: Port isolation is local to each host. Use the
+xref:pvesdn_firewall_integration[VNET Firewall] to further isolate traffic in
+the VNET across nodes. For example, DROP by default and only allow traffic from
+the IP subnet to the gateway and the vice versa.
[[pvesdn_config_subnet]]
Subnets
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH manager 3/3] ui: sdn firewall: add online help
2024-11-20 12:02 [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Aaron Lauterer
2024-11-20 12:02 ` [pve-devel] [PATCH docs 2/3] pvesdn: add note to port isolation to use firewall in clusters Aaron Lauterer
@ 2024-11-20 12:02 ` Aaron Lauterer
2024-11-20 12:05 ` [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Stefan Hanreich
2024-11-20 15:57 ` [pve-devel] applied: " Thomas Lamprecht
3 siblings, 0 replies; 6+ messages in thread
From: Aaron Lauterer @ 2024-11-20 12:02 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
---
www/manager6/sdn/FirewallPanel.js | 2 ++
1 file changed, 2 insertions(+)
diff --git a/www/manager6/sdn/FirewallPanel.js b/www/manager6/sdn/FirewallPanel.js
index 9683a680..d6859d10 100644
--- a/www/manager6/sdn/FirewallPanel.js
+++ b/www/manager6/sdn/FirewallPanel.js
@@ -4,6 +4,8 @@ Ext.define('PVE.sdn.FirewallPanel', {
title: 'VNet',
+ onlineHelp: 'pvesdn_firewall_integration',
+
initComponent: function() {
let me = this;
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall
2024-11-20 12:02 [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Aaron Lauterer
2024-11-20 12:02 ` [pve-devel] [PATCH docs 2/3] pvesdn: add note to port isolation to use firewall in clusters Aaron Lauterer
2024-11-20 12:02 ` [pve-devel] [PATCH manager 3/3] ui: sdn firewall: add online help Aaron Lauterer
@ 2024-11-20 12:05 ` Stefan Hanreich
2024-11-20 15:57 ` [pve-devel] applied: " Thomas Lamprecht
3 siblings, 0 replies; 6+ messages in thread
From: Stefan Hanreich @ 2024-11-20 12:05 UTC (permalink / raw)
To: Proxmox VE development discussion, Aaron Lauterer
Talked with Aaron off-list about the changes, lgtm
Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com>
On 11/20/24 13:02, Aaron Lauterer wrote:
> Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
> ---
> pvesdn.adoc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/pvesdn.adoc b/pvesdn.adoc
> index 8bd004e..2e24dd2 100644
> --- a/pvesdn.adoc
> +++ b/pvesdn.adoc
> @@ -707,6 +707,7 @@ For more information please consult the documentation of
> xref:pvesdn_ipam_plugin_pveipam[the PVE IPAM plugin]. Changing DHCP leases is
> currently not supported for the other IPAM plugins.
>
> +[[pvesdn_firewall_integration]]
> Firewall Integration
> --------------------
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] applied: [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall
2024-11-20 12:02 [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Aaron Lauterer
` (2 preceding siblings ...)
2024-11-20 12:05 ` [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Stefan Hanreich
@ 2024-11-20 15:57 ` Thomas Lamprecht
3 siblings, 0 replies; 6+ messages in thread
From: Thomas Lamprecht @ 2024-11-20 15:57 UTC (permalink / raw)
To: Proxmox VE development discussion, Aaron Lauterer
Am 20.11.24 um 13:02 schrieb Aaron Lauterer:
> Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
> ---
> pvesdn.adoc | 1 +
> 1 file changed, 1 insertion(+)
>
>
applied, thanks!
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] applied: [PATCH docs 2/3] pvesdn: add note to port isolation to use firewall in clusters
2024-11-20 12:02 ` [pve-devel] [PATCH docs 2/3] pvesdn: add note to port isolation to use firewall in clusters Aaron Lauterer
@ 2024-11-20 15:57 ` Thomas Lamprecht
0 siblings, 0 replies; 6+ messages in thread
From: Thomas Lamprecht @ 2024-11-20 15:57 UTC (permalink / raw)
To: Proxmox VE development discussion, Aaron Lauterer
Am 20.11.24 um 13:02 schrieb Aaron Lauterer:
> since port isolation is only local on the host. To get better port
> isolation, the VNET firewall can be used.
>
> Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
> ---
> pvesdn.adoc | 4 ++++
> 1 file changed, 4 insertions(+)
>
>
applied, thanks!
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-11-20 15:57 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-11-20 12:02 [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Aaron Lauterer
2024-11-20 12:02 ` [pve-devel] [PATCH docs 2/3] pvesdn: add note to port isolation to use firewall in clusters Aaron Lauterer
2024-11-20 15:57 ` [pve-devel] applied: " Thomas Lamprecht
2024-11-20 12:02 ` [pve-devel] [PATCH manager 3/3] ui: sdn firewall: add online help Aaron Lauterer
2024-11-20 12:05 ` [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Stefan Hanreich
2024-11-20 15:57 ` [pve-devel] applied: " Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal