<div dir="ltr">Hi Uri, <div> </div><div>The problem comes when VMs can migrate between Hypervisors. It is, eventually the scenario can turn as follows:</div><div> </div><div>Hypervisor1 (10.0.0.1) <-- Stopped due to maintenance Hypervisor2 (10.0.0.2) VM1 (port 5900) VM2 (port 5901) </div><div> VM3 (port 5902) VM4 (port 5903) </div><div> </div><div>Thanks a lot!</div></div><div class="gmail_extra"> <div class="gmail_quote">2017-02-21 13:49 GMT+01:00 Uri Lublin <<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 02/21/2017 11:04 AM, Oscar Segarra wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi Uri, Thanks a lot for th example... It looks clarify the security/acl but what I'd like to know is if is there any known configuration for an scenario like this: Hypervisor1 (10.0.0.1) VM1 (port 5900) VM2 (port 5901) Hypervisor2 (10.0.0.2) VM3 (port 5902) VM4 (port 5903) </blockquote> [1] <a href="http://wiki.squid-cache.org/SquidFaq/SquidAcl" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/SquidFaq/SquidAcl</a> After reading "And/Or logic" subsection of [1], a configuration you can try is (again not even tested): acl HOST1 10.0.0.1 acl HOST2 10.0.0.2 acl PORT1 5900 5901 acl PORT2 5902 5903 http_access allow HOST1 PORT1 http_access allow HOST2 PORT2 http_access deny all Regards, Uri. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 2017-02-21 9:42 GMT+01:00 Uri Lublin <<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a> <mailto:<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a>>>:<div><div class="h5"> On 02/19/2017 07:33 PM, Oscar Segarra wrote: Hi Uri, I have not been able to find the example you suggest... can you paste the url of the example? Hi Oscar, Disclaimer: This is just an example. There may be better more secure ways to do it. You should research and decide on a solution according to your specific requirements. I did not even test the suggested solution. For example: <a href="http://wiki.squid-cache.org/SquidFaq/SquidAcl" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/SquidFaq/SquidAcl</a> <<a href="http://wiki.squid-cache.org/SquidFaq/SquidAcl" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/SquidFaq/SquidAcl</a>> under "Is there an easy way of banning all Destination addresses except one?" You can configure your squid server to allow only access the two hosts and specific ports on those hosts and deny the rest. acl GOOD_HOST dst 10.0.0.1 acl GOOD_HOST dst 10.0.0.2 acl GOOD_PORT port 5900 http_access allow GOOD_HOST http_access allow GOOT_PORT http_access deny all # The last command is not needed according to # <a href="http://www.squid-cache.org/Doc/config/http_access/" rel="noreferrer" target="_blank">http://www.squid-cache.org/Doc/config/http_access/</a> <<a href="http://www.squid-cache.org/Doc/config/http_access/" rel="noreferrer" target="_blank">http://www.squid-cache.org/Doc/config/http_access/</a>> # but it does appear in the SquidAcl example Uri. </div></div></blockquote> </blockquote></div> </div>