[pve-devel] firewall : cluster.fw [rules] section ?

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Fri Jul 4 13:50:43 CEST 2014 

Am 04.07.2014 13:45, schrieb Alexandre DERUMIER:
>>> What about ARP traffic? Smoeone can claim he is another mac in ARP. Even 
>>> though ip traffic will then never reach the VM he still can tell via arp 
>>> that this vm is for example the GW. 
> 
> Oh, ok, you are right !
> 
> I'll make a patch for ebtables,it  should be easy to implement.

That would be really great.

It would be really nice if we can also define a set of protocols allowed
for this VM.

For example:
layer2filter_protocls: ARP,IPV4,IPV6

so any other LAYER2 protocol get's dropped.

Stefan


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Vendredi 4 Juillet 2014 11:28:40 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
> 
> Am 04.07.2014 11:24, schrieb Alexandre DERUMIER: 
>>>> Sorry i just meant mac spoofing. 
>>>>
>>>> We should have ebtables rules like these: 
>>>> # Drop packets that don't match the network's MAC Address 
>>>> -s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP 
>>>> # Prevent MAC spoofing 
>>>> -s ! <mac_address> -i <tap_device> -j DROP 
>>>>
>>>> Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to 
>>>> prevent other crazy packets. 
>>
>> What is the advantage to do it in ebtables vs iptables ? 
>> http://ebtables.sourceforge.net/examples/basic.html#ex_anti-spoof 
>>
>> (I tell the question, because if you have a lot of mac to filter, 
>> in the worst case, you need to check all the ebtables rules, and for each packet. 
> 
> This works as long as you talk about IPv4 or IPv6 Traffic. What about 
> non ip traffic? iptables can only handle layer 3 traffic. 
> 
> What about ARP traffic? Smoeone can claim he is another mac in ARP. Even 
> though ip traffic will then never reach the VM he still can tell via arp 
> that this vm is for example the GW. 
> 
>> also ,with iptables, when the connection is established, we don't check the mac address. 
>> (don't known if it can be a security problem) 
> 
> Stefan 
> 
> 
>>
>> ----- Mail original ----- 
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Vendredi 4 Juillet 2014 11:07:38 
>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
>>
>> Am 04.07.2014 11:03, schrieb Alexandre DERUMIER: 
>>>>> Main problem is that iptables is only layer3. What about layer2 IP / mac 
>>>>> spoofing? 
>>>
>>> yes, mac filtering need to be done like currently, in tapchain. 
>>>
>>>
>>> (layer2 IP ????) 
>>
>> Sorry i just meant mac spoofing. 
>>
>> We should have ebtables rules like these: 
>> # Drop packets that don't match the network's MAC Address 
>> -s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP 
>> # Prevent MAC spoofing 
>> -s ! <mac_address> -i <tap_device> -j DROP 
>>
>> Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to 
>> prevent other crazy packets. 
>>
>> Grüße 
>> Stefan 
>>
>>> ----- Mail original ----- 
>>>
>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
>>> Envoyé: Vendredi 4 Juillet 2014 10:55:58 
>>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
>>>
>>> Am 19.06.2014 07:50, schrieb Alexandre DERUMIER: 
>>>>>> But I don't see anywhere in the code where theses rules are generate ? 
>>>>
>>>> I think we could create a PVEFW-cluster-IN|OUT chain, and put it at same level that blacklist. 
>>>>
>>>> (and maybe make blacklist ipset more generic, if we can create a rule with blacklist) 
>>>>
>>>>
>>>>
>>>>
>>>> also, I just found that ipset provide a net,iface hash 
>>>>
>>>> ipset create foo hash:net,iface 
>>>> ipset add foo 192.168.0/24,eth0 
>>>> ipset add foo 10.1.0.0/16,eth1 
>>>> ipset test foo 192.168.0/24,eth0 
>>>>
>>>>
>>>> maybe can we use it to implement ipfilter at cluster level ? 
>>>
>>> Main problem is that iptables is only layer3. What about layer2 IP / mac 
>>> spoofing? 
>>>
>>>
>>> Stefan 
>>>
>>>> ----- Mail original ----- 
>>>>
>>>> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>>> À: "pve-devel" <pve-devel at pve.proxmox.com> 
>>>> Envoyé: Jeudi 19 Juin 2014 06:09:15 
>>>> Objet: [pve-devel] firewall : cluster.fw [rules] section ? 
>>>>
>>>> Hi, 
>>>> I see in cluster.fw a [rules] section, 
>>>>
>>>> But I don't see anywhere in the code where theses rules are generate ? 
>>>> _______________________________________________ 
>>>> pve-devel mailing list 
>>>> pve-devel at pve.proxmox.com 
>>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>>> _______________________________________________ 
>>>> pve-devel mailing list 
>>>> pve-devel at pve.proxmox.com 
>>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>>>

More information about the pve-devel mailing list