<div dir="ltr">Hi Uri, <div><br></div><div>The problem comes when VMs can migrate between Hypervisors. It is, eventually the scenario can turn as follows:</div><div><br></div><div><font color="#000000"><span style="font-size:12.8px">Hypervisor1 (10.0.0.1) <-- Stopped due to maintenance</span><br style="font-size:12.8px"><span style="font-size:12.8px">Hypervisor2 (10.0.0.2)</span><br style="font-size:12.8px"><span style="font-size:12.8px"> VM1 (port 5900)</span><br style="font-size:12.8px"><span style="font-size:12.8px"> VM2 (port 5901)</span><br style="font-size:12.8px"></font></div><div><font color="#000000"><span style="font-size:12.8px"> VM3 (port 5902)</span><br style="font-size:12.8px"><span style="font-size:12.8px"> VM4 (port 5903)</span><br></font></div><div><span style="font-size:12.8px"><font color="#000000"><br></font></span></div><div><span style="font-size:12.8px"><font color="#000000">Thanks a lot!</font></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-02-21 13:49 GMT+01:00 Uri Lublin <span dir="ltr"><<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 02/21/2017 11:04 AM, Oscar Segarra wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Uri,<br>
<br><span class="">
Thanks a lot for th example... It looks clarify the security/acl but<br>
what I'd like to know is if is there any known configuration for an<br>
scenario like this:<br>
<br>
Hypervisor1 (10.0.0.1)<br>
VM1 (port 5900)<br>
VM2 (port 5901)<br>
Hypervisor2 (10.0.0.2)<br>
VM3 (port 5902)<br>
VM4 (port 5903)<br>
<br>
</span></blockquote>
<br>
<br>
[1] <a href="http://wiki.squid-cache.org/SquidFaq/SquidAcl" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/Sq<wbr>uidFaq/SquidAcl</a><br>
After reading "And/Or logic" subsection of [1], a configuration<br>
you can try is (again not even tested):<br>
acl HOST1 10.0.0.1<br>
acl HOST2 10.0.0.2<br>
acl PORT1 5900 5901<br>
acl PORT2 5902 5903<br>
http_access allow HOST1 PORT1<br>
http_access allow HOST2 PORT2<br>
http_access deny all<br>
<br>
<br>
Regards,<br>
Uri.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
<br>
2017-02-21 9:42 GMT+01:00 Uri Lublin <<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a><br></span>
<mailto:<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a>>>:<div><div class="h5"><br>
<br>
On 02/19/2017 07:33 PM, Oscar Segarra wrote:<br>
<br>
Hi Uri,<br>
<br>
I have not been able to find the example you suggest... can you<br>
paste<br>
the url of the example?<br>
<br>
<br>
Hi Oscar,<br>
<br>
Disclaimer:<br>
This is just an example. There may be better more secure ways<br>
to do it. You should research and decide on a solution<br>
according to your specific requirements.<br>
I did not even test the suggested solution.<br>
<br>
For example:<br>
<a href="http://wiki.squid-cache.org/SquidFaq/SquidAcl" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/Sq<wbr>uidFaq/SquidAcl</a><br>
<<a href="http://wiki.squid-cache.org/SquidFaq/SquidAcl" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/S<wbr>quidFaq/SquidAcl</a>> under<br>
"Is there an easy way of banning all Destination addresses except one?"<br>
<br>
You can configure your squid server to allow only access the<br>
two hosts and specific ports on those hosts and deny the rest.<br>
<br>
acl GOOD_HOST dst 10.0.0.1<br>
acl GOOD_HOST dst 10.0.0.2<br>
acl GOOD_PORT port 5900<br>
http_access allow GOOD_HOST<br>
http_access allow GOOT_PORT<br>
http_access deny all<br>
<br>
# The last command is not needed according to<br>
# <a href="http://www.squid-cache.org/Doc/config/http_access/" rel="noreferrer" target="_blank">http://www.squid-cache.org/Doc<wbr>/config/http_access/</a><br>
<<a href="http://www.squid-cache.org/Doc/config/http_access/" rel="noreferrer" target="_blank">http://www.squid-cache.org/Do<wbr>c/config/http_access/</a>><br>
# but it does appear in the SquidAcl example<br>
<br>
Uri.<br>
<br>
</div></div></blockquote>
<br>
</blockquote></div><br></div>