[pve-devel] pve-firewall: dhcp snooping
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Wed Jun 4 13:49:08 CEST 2014
Am 04.06.2014 13:39, schrieb Alexandre DERUMIER:
>>> But dietmar correctly comments on how do we know the IP. Or just as a
>>> textfield set in the creation wizard? Makes this sence.
>
> I think it depend how do you want to manage security.
> Do you want that only superadmin specify ip/mac allowed for example ?
> in this case, maybe in a external config is better.
There's also:
https://github.com/michael-dev/ebtables-dhcpsnooping/
which monitors simply the dhcp traffic and automatically add the
relevant rules to ebtables.
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com
> Envoyé: Mercredi 4 Juin 2014 13:19:22
> Objet: Re: [pve-devel] pve-firewall: dhcp snooping
>
> Am 04.06.2014 13:10, schrieb Alexandre DERUMIER:
>>>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3
>>>>>> It is then easy to implement such filter.
>>>
>>> also a good idea.
>>>
>>> Alexandre - any suggestions?
>>
>> I like this one ;) also, could be use when we'll implement dhcp server inside proxmox.
>
> But dietmar correctly comments on how do we know the IP. Or just as a
> textfield set in the creation wizard? Makes this sence.
>
> What are the enable DHCP and MAC Filter Options in the Firewall Options
> Menu?
>
> Stefan
>
>> ----- Mail original -----
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>> À: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com
>> Envoyé: Mercredi 4 Juin 2014 12:43:51
>> Objet: Re: [pve-devel] pve-firewall: dhcp snooping
>>
>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3
>>>> It is then easy to implement such filter.
>>
>> also a good idea.
>>
>> Alexandre - any suggestions?
>>
>>
>> Am 04.06.2014 12:19, schrieb Stefan Priebe - Profihost AG:
>>> Am 04.06.2014 12:10, schrieb Dietmar Maurer:
>>>>> i'm starting to deploy the pve-firewall code on a test cluster.
>>>>>
>>>>> Something i really would like to have is dhcp snooping on the linux bridge so that
>>>>> VMs controlled by somebody else can't use fake / wrong ip adresses.
>>>>>
>>>>> Is something like this possible with the current firewall code?
>>>>
>>>> Not implemented, because we do not have/store a list of IPs.
>>>>
>>>> One option would be to store the list of allowed IP in the VM network config:
>>>>
>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3
>>>>
>>>> It is then easy to implement such filter.
>>>>
>>>
>>> For snooping there is no ip list neeeded. You just monitor DHCP ACK
>>> packets from specific MAC and IP and then generate the entries.
>>>
>>> Stefan
>>> _______________________________________________
>>> pve-devel mailing list
>>> pve-devel at pve.proxmox.com
>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
More information about the pve-devel
mailing list