Sorry for late response...

On Sun, Aug 01, 2021 at 11:50:18PM +0200, Giulio wrote:

> Hi,
> I am still working on the implementation of the rules in the
> core-agent-linux package. I have a couple of additional questions:
> 
> 1) Currently, I fail to understand and the inner workings the purpose of
> the 'connected_ips' part. Could you give me an overall idea of it or any
> useful additional details that you think may help me understand?

This is to inform what IPs belong to some VM, even powered off. This
way, firewall can prevent someone spoofing IP of a not running VM
(because it knows that IP cannot come from anywhere else).

> 2) Since, as we talked in the previous emails, the last node needs an
> additional rule in order to forward the port from the external interface
> I am wondering how the correct interface is to be determined. I would
> automatically choose the device on which there is the route with the
> default gateway/destination. But, is it a good idea? Or would be better
> to let the user choose?

This is a very good question. I think the most user-friendly thing to
do, is to include all the external interfaces (network manager will
add several default gateways, just with different priorities). Maybe
later it can be made configurable, but I wouldn't worry about it right
now.

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab