[Spice-devel] Spice protocol behind a Firewall
Uri Lublin
uril at redhat.com
Tue Feb 21 12:49:27 UTC 2017
On 02/21/2017 11:04 AM, Oscar Segarra wrote:
> Hi Uri,
>
> Thanks a lot for th example... It looks clarify the security/acl but
> what I'd like to know is if is there any known configuration for an
> scenario like this:
>
> Hypervisor1 (10.0.0.1)
> VM1 (port 5900)
> VM2 (port 5901)
> Hypervisor2 (10.0.0.2)
> VM3 (port 5902)
> VM4 (port 5903)
>
[1] http://wiki.squid-cache.org/SquidFaq/SquidAcl
After reading "And/Or logic" subsection of [1], a configuration
you can try is (again not even tested):
acl HOST1 10.0.0.1
acl HOST2 10.0.0.2
acl PORT1 5900 5901
acl PORT2 5902 5903
http_access allow HOST1 PORT1
http_access allow HOST2 PORT2
http_access deny all
Regards,
Uri.
>
> 2017-02-21 9:42 GMT+01:00 Uri Lublin <uril at redhat.com
> <mailto:uril at redhat.com>>:
>
> On 02/19/2017 07:33 PM, Oscar Segarra wrote:
>
> Hi Uri,
>
> I have not been able to find the example you suggest... can you
> paste
> the url of the example?
>
>
> Hi Oscar,
>
> Disclaimer:
> This is just an example. There may be better more secure ways
> to do it. You should research and decide on a solution
> according to your specific requirements.
> I did not even test the suggested solution.
>
> For example:
> http://wiki.squid-cache.org/SquidFaq/SquidAcl
> <http://wiki.squid-cache.org/SquidFaq/SquidAcl> under
> "Is there an easy way of banning all Destination addresses except one?"
>
> You can configure your squid server to allow only access the
> two hosts and specific ports on those hosts and deny the rest.
>
> acl GOOD_HOST dst 10.0.0.1
> acl GOOD_HOST dst 10.0.0.2
> acl GOOD_PORT port 5900
> http_access allow GOOD_HOST
> http_access allow GOOT_PORT
> http_access deny all
>
> # The last command is not needed according to
> # http://www.squid-cache.org/Doc/config/http_access/
> <http://www.squid-cache.org/Doc/config/http_access/>
> # but it does appear in the SquidAcl example
>
> Uri.
>
More information about the Spice-devel
mailing list