[Spice-devel] Spice protocol behind a Firewall

Oscar Segarra oscar.segarra at gmail.com
Tue Feb 21 12:52:13 UTC 2017 

Hi Uri,

The problem comes when VMs can migrate between Hypervisors. It is,
eventually the scenario can turn as follows:

Hypervisor1 (10.0.0.1) <-- Stopped due to maintenance
Hypervisor2 (10.0.0.2)
    VM1 (port 5900)
    VM2 (port 5901)
    VM3 (port 5902)
    VM4 (port 5903)

Thanks a lot!

2017-02-21 13:49 GMT+01:00 Uri Lublin <uril at redhat.com>:

> On 02/21/2017 11:04 AM, Oscar Segarra wrote:
>
>> Hi Uri,
>>
>> Thanks a lot for th example... It looks clarify the security/acl but
>> what I'd like to know is if is there any known configuration for an
>> scenario like this:
>>
>> Hypervisor1 (10.0.0.1)
>>     VM1 (port 5900)
>>     VM2 (port 5901)
>> Hypervisor2 (10.0.0.2)
>>     VM3 (port 5902)
>>     VM4 (port 5903)
>>
>>
>
> [1] http://wiki.squid-cache.org/SquidFaq/SquidAcl
> After reading "And/Or logic" subsection of [1], a configuration
> you can try is (again not even tested):
>   acl HOST1 10.0.0.1
>   acl HOST2 10.0.0.2
>   acl PORT1 5900 5901
>   acl PORT2 5902 5903
>   http_access allow HOST1 PORT1
>   http_access allow HOST2 PORT2
>   http_access deny all
>
>
> Regards,
>     Uri.
>
>
>> 2017-02-21 9:42 GMT+01:00 Uri Lublin <uril at redhat.com
>> <mailto:uril at redhat.com>>:
>>
>>
>>     On 02/19/2017 07:33 PM, Oscar Segarra wrote:
>>
>>         Hi Uri,
>>
>>         I have not been able to find the example you suggest... can you
>>         paste
>>         the url of the example?
>>
>>
>>     Hi Oscar,
>>
>>     Disclaimer:
>>        This is just an example. There may be better more secure ways
>>        to do it. You should research and decide on a solution
>>        according to your specific requirements.
>>        I did not even test the suggested solution.
>>
>>     For example:
>>     http://wiki.squid-cache.org/SquidFaq/SquidAcl
>>     <http://wiki.squid-cache.org/SquidFaq/SquidAcl> under
>>     "Is there an easy way of banning all Destination addresses except
>> one?"
>>
>>     You can configure your squid server to allow only access the
>>     two hosts and specific ports on those hosts and deny the rest.
>>
>>     acl GOOD_HOST dst 10.0.0.1
>>     acl GOOD_HOST dst 10.0.0.2
>>     acl GOOD_PORT port 5900
>>     http_access allow GOOD_HOST
>>     http_access allow GOOT_PORT
>>     http_access deny all
>>
>>     # The last command is not needed according to
>>     # http://www.squid-cache.org/Doc/config/http_access/
>>     <http://www.squid-cache.org/Doc/config/http_access/>
>>     # but it does appear in the SquidAcl example
>>
>>     Uri.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20170221/ca90b535/attachment.html>

More information about the Spice-devel mailing list