[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Fri Jul 4 14:14:03 CEST 2014


>>For example:
>>layer2filter_protocls: ARP,IPV4,IPV6
>>
>>so any other LAYER2 protocol get's dropped.

Ok, no problem.  

supported protocols are in

cat /etc/ethertypes


----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Vendredi 4 Juillet 2014 13:50:43 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

Am 04.07.2014 13:45, schrieb Alexandre DERUMIER: 
>>> What about ARP traffic? Smoeone can claim he is another mac in ARP. Even 
>>> though ip traffic will then never reach the VM he still can tell via arp 
>>> that this vm is for example the GW. 
> 
> Oh, ok, you are right ! 
> 
> I'll make a patch for ebtables,it should be easy to implement. 

That would be really great. 

It would be really nice if we can also define a set of protocols allowed 
for this VM. 

For example: 
layer2filter_protocls: ARP,IPV4,IPV6 

so any other LAYER2 protocol get's dropped. 

Stefan 


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Vendredi 4 Juillet 2014 11:28:40 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
> 
> Am 04.07.2014 11:24, schrieb Alexandre DERUMIER: 
>>>> Sorry i just meant mac spoofing. 
>>>> 
>>>> We should have ebtables rules like these: 
>>>> # Drop packets that don't match the network's MAC Address 
>>>> -s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP 
>>>> # Prevent MAC spoofing 
>>>> -s ! <mac_address> -i <tap_device> -j DROP 
>>>> 
>>>> Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to 
>>>> prevent other crazy packets. 
>> 
>> What is the advantage to do it in ebtables vs iptables ? 
>> http://ebtables.sourceforge.net/examples/basic.html#ex_anti-spoof 
>> 
>> (I tell the question, because if you have a lot of mac to filter, 
>> in the worst case, you need to check all the ebtables rules, and for each packet. 
> 
> This works as long as you talk about IPv4 or IPv6 Traffic. What about 
> non ip traffic? iptables can only handle layer 3 traffic. 
> 
> What about ARP traffic? Smoeone can claim he is another mac in ARP. Even 
> though ip traffic will then never reach the VM he still can tell via arp 
> that this vm is for example the GW. 
> 
>> also ,with iptables, when the connection is established, we don't check the mac address. 
>> (don't known if it can be a security problem) 
> 
> Stefan 
> 
> 
>> 
>> ----- Mail original ----- 
>> 
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Vendredi 4 Juillet 2014 11:07:38 
>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
>> 
>> Am 04.07.2014 11:03, schrieb Alexandre DERUMIER: 
>>>>> Main problem is that iptables is only layer3. What about layer2 IP / mac 
>>>>> spoofing? 
>>> 
>>> yes, mac filtering need to be done like currently, in tapchain. 
>>> 
>>> 
>>> (layer2 IP ????) 
>> 
>> Sorry i just meant mac spoofing. 
>> 
>> We should have ebtables rules like these: 
>> # Drop packets that don't match the network's MAC Address 
>> -s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP 
>> # Prevent MAC spoofing 
>> -s ! <mac_address> -i <tap_device> -j DROP 
>> 
>> Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to 
>> prevent other crazy packets. 
>> 
>> Grüße 
>> Stefan 
>> 
>>> ----- Mail original ----- 
>>> 
>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
>>> Envoyé: Vendredi 4 Juillet 2014 10:55:58 
>>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
>>> 
>>> Am 19.06.2014 07:50, schrieb Alexandre DERUMIER: 
>>>>>> But I don't see anywhere in the code where theses rules are generate ? 
>>>> 
>>>> I think we could create a PVEFW-cluster-IN|OUT chain, and put it at same level that blacklist. 
>>>> 
>>>> (and maybe make blacklist ipset more generic, if we can create a rule with blacklist) 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> also, I just found that ipset provide a net,iface hash 
>>>> 
>>>> ipset create foo hash:net,iface 
>>>> ipset add foo 192.168.0/24,eth0 
>>>> ipset add foo 10.1.0.0/16,eth1 
>>>> ipset test foo 192.168.0/24,eth0 
>>>> 
>>>> 
>>>> maybe can we use it to implement ipfilter at cluster level ? 
>>> 
>>> Main problem is that iptables is only layer3. What about layer2 IP / mac 
>>> spoofing? 
>>> 
>>> 
>>> Stefan 
>>> 
>>>> ----- Mail original ----- 
>>>> 
>>>> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>>> À: "pve-devel" <pve-devel at pve.proxmox.com> 
>>>> Envoyé: Jeudi 19 Juin 2014 06:09:15 
>>>> Objet: [pve-devel] firewall : cluster.fw [rules] section ? 
>>>> 
>>>> Hi, 
>>>> I see in cluster.fw a [rules] section, 
>>>> 
>>>> But I don't see anywhere in the code where theses rules are generate ? 
>>>> _______________________________________________ 
>>>> pve-devel mailing list 
>>>> pve-devel at pve.proxmox.com 
>>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>>> _______________________________________________ 
>>>> pve-devel mailing list 
>>>> pve-devel at pve.proxmox.com 
>>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>>> 



More information about the pve-devel mailing list