* [pve-devel] [PATCH docs 2/3] pvesdn: add note to port isolation to use firewall in clusters
2024-11-20 12:02 [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Aaron Lauterer
@ 2024-11-20 12:02 ` Aaron Lauterer
2024-11-20 15:57 ` [pve-devel] applied: " Thomas Lamprecht
2024-11-20 12:02 ` [pve-devel] [PATCH manager 3/3] ui: sdn firewall: add online help Aaron Lauterer
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Aaron Lauterer @ 2024-11-20 12:02 UTC (permalink / raw)
To: pve-devel
since port isolation is only local on the host. To get better port
isolation, the VNET firewall can be used.
Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
---
pvesdn.adoc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/pvesdn.adoc b/pvesdn.adoc
index 2e24dd2..1541e54 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -388,6 +388,10 @@ but not for the interface itself. This means guests can only send traffic to
non-isolated bridge-ports, which is the bridge itself. In order for this setting
to take effect, you need to restart the affected guest.
+NOTE: Port isolation is local to each host. Use the
+xref:pvesdn_firewall_integration[VNET Firewall] to further isolate traffic in
+the VNET across nodes. For example, DROP by default and only allow traffic from
+the IP subnet to the gateway and the vice versa.
[[pvesdn_config_subnet]]
Subnets
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread* [pve-devel] [PATCH manager 3/3] ui: sdn firewall: add online help
2024-11-20 12:02 [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Aaron Lauterer
2024-11-20 12:02 ` [pve-devel] [PATCH docs 2/3] pvesdn: add note to port isolation to use firewall in clusters Aaron Lauterer
@ 2024-11-20 12:02 ` Aaron Lauterer
2024-11-20 12:05 ` [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Stefan Hanreich
2024-11-20 15:57 ` [pve-devel] applied: " Thomas Lamprecht
3 siblings, 0 replies; 6+ messages in thread
From: Aaron Lauterer @ 2024-11-20 12:02 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
---
www/manager6/sdn/FirewallPanel.js | 2 ++
1 file changed, 2 insertions(+)
diff --git a/www/manager6/sdn/FirewallPanel.js b/www/manager6/sdn/FirewallPanel.js
index 9683a680..d6859d10 100644
--- a/www/manager6/sdn/FirewallPanel.js
+++ b/www/manager6/sdn/FirewallPanel.js
@@ -4,6 +4,8 @@ Ext.define('PVE.sdn.FirewallPanel', {
title: 'VNet',
+ onlineHelp: 'pvesdn_firewall_integration',
+
initComponent: function() {
let me = this;
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall
2024-11-20 12:02 [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Aaron Lauterer
2024-11-20 12:02 ` [pve-devel] [PATCH docs 2/3] pvesdn: add note to port isolation to use firewall in clusters Aaron Lauterer
2024-11-20 12:02 ` [pve-devel] [PATCH manager 3/3] ui: sdn firewall: add online help Aaron Lauterer
@ 2024-11-20 12:05 ` Stefan Hanreich
2024-11-20 15:57 ` [pve-devel] applied: " Thomas Lamprecht
3 siblings, 0 replies; 6+ messages in thread
From: Stefan Hanreich @ 2024-11-20 12:05 UTC (permalink / raw)
To: Proxmox VE development discussion, Aaron Lauterer
Talked with Aaron off-list about the changes, lgtm
Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com>
On 11/20/24 13:02, Aaron Lauterer wrote:
> Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
> ---
> pvesdn.adoc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/pvesdn.adoc b/pvesdn.adoc
> index 8bd004e..2e24dd2 100644
> --- a/pvesdn.adoc
> +++ b/pvesdn.adoc
> @@ -707,6 +707,7 @@ For more information please consult the documentation of
> xref:pvesdn_ipam_plugin_pveipam[the PVE IPAM plugin]. Changing DHCP leases is
> currently not supported for the other IPAM plugins.
>
> +[[pvesdn_firewall_integration]]
> Firewall Integration
> --------------------
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] applied: [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall
2024-11-20 12:02 [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Aaron Lauterer
` (2 preceding siblings ...)
2024-11-20 12:05 ` [pve-devel] [PATCH docs 1/3] pvesdn: add chapter reference for sdn firewall Stefan Hanreich
@ 2024-11-20 15:57 ` Thomas Lamprecht
3 siblings, 0 replies; 6+ messages in thread
From: Thomas Lamprecht @ 2024-11-20 15:57 UTC (permalink / raw)
To: Proxmox VE development discussion, Aaron Lauterer
Am 20.11.24 um 13:02 schrieb Aaron Lauterer:
> Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
> ---
> pvesdn.adoc | 1 +
> 1 file changed, 1 insertion(+)
>
>
applied, thanks!
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread