[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Fri Jul 4 11:24:26 CEST 2014 

>>Sorry i just meant mac spoofing. 
>>
>>We should have ebtables rules like these: 
>># Drop packets that don't match the network's MAC Address 
>>-s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP 
>># Prevent MAC spoofing 
>>-s ! <mac_address> -i <tap_device> -j DROP 
>>
>>Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to 
>>prevent other crazy packets. 

What is the advantage to do it in ebtables vs iptables ?

http://ebtables.sourceforge.net/examples/basic.html#ex_anti-spoof


(I tell the question, because if you have a lot of mac to filter, 
in the worst case, you need to check all the ebtables rules, and for each packet.


also ,with iptables, when the connection is established, we don't check the mac address.
(don't known if it can be a security problem)



----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Vendredi 4 Juillet 2014 11:07:38 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

Am 04.07.2014 11:03, schrieb Alexandre DERUMIER: 
>>> Main problem is that iptables is only layer3. What about layer2 IP / mac 
>>> spoofing? 
> 
> yes, mac filtering need to be done like currently, in tapchain. 
> 
> 
> (layer2 IP ????) 

Sorry i just meant mac spoofing. 

We should have ebtables rules like these: 
# Drop packets that don't match the network's MAC Address 
-s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP 
# Prevent MAC spoofing 
-s ! <mac_address> -i <tap_device> -j DROP 

Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to 
prevent other crazy packets. 

Grüße 
Stefan 

> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Vendredi 4 Juillet 2014 10:55:58 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
> Am 19.06.2014 07:50, schrieb Alexandre DERUMIER: 
>>>> But I don't see anywhere in the code where theses rules are generate ? 
>> 
>> I think we could create a PVEFW-cluster-IN|OUT chain, and put it at same level that blacklist. 
>> 
>> (and maybe make blacklist ipset more generic, if we can create a rule with blacklist) 
>> 
>> 
>> 
>> 
>> also, I just found that ipset provide a net,iface hash 
>> 
>> ipset create foo hash:net,iface 
>> ipset add foo 192.168.0/24,eth0 
>> ipset add foo 10.1.0.0/16,eth1 
>> ipset test foo 192.168.0/24,eth0 
>> 
>> 
>> maybe can we use it to implement ipfilter at cluster level ? 
> 
> Main problem is that iptables is only layer3. What about layer2 IP / mac 
> spoofing? 
> 
> 
> Stefan 
> 
>> ----- Mail original ----- 
>> 
>> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> À: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Jeudi 19 Juin 2014 06:09:15 
>> Objet: [pve-devel] firewall : cluster.fw [rules] section ? 
>> 
>> Hi, 
>> I see in cluster.fw a [rules] section, 
>> 
>> But I don't see anywhere in the code where theses rules are generate ? 
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>

More information about the pve-devel mailing list