[pve-devel] pve-firewall: dhcp snooping

Alexandre DERUMIER aderumier at odiso.com
Wed Jun 4 13:10:26 CEST 2014


>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>>>> It is then easy to implement such filter. 
>
>also a good idea. 
>
>Alexandre - any suggestions? 

I like this one ;)  also, could be use when we'll implement dhcp server inside proxmox.

----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
Envoyé: Mercredi 4 Juin 2014 12:43:51 
Objet: Re: [pve-devel] pve-firewall: dhcp snooping 

>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>> It is then easy to implement such filter. 

also a good idea. 

Alexandre - any suggestions? 


Am 04.06.2014 12:19, schrieb Stefan Priebe - Profihost AG: 
> Am 04.06.2014 12:10, schrieb Dietmar Maurer: 
>>> i'm starting to deploy the pve-firewall code on a test cluster. 
>>> 
>>> Something i really would like to have is dhcp snooping on the linux bridge so that 
>>> VMs controlled by somebody else can't use fake / wrong ip adresses. 
>>> 
>>> Is something like this possible with the current firewall code? 
>> 
>> Not implemented, because we do not have/store a list of IPs. 
>> 
>> One option would be to store the list of allowed IP in the VM network config: 
>> 
>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>> 
>> It is then easy to implement such filter. 
>> 
> 
> For snooping there is no ip list neeeded. You just monitor DHCP ACK 
> packets from specific MAC and IP and then generate the entries. 
> 
> Stefan 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list