[pve-devel] pve-firewall: dhcp snooping

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Wed Jun 4 14:02:54 CEST 2014 

Am 04.06.2014 13:58, schrieb Alexandre DERUMIER:
>>> There's also: 
>>> https://github.com/michael-dev/ebtables-dhcpsnooping/ 
>>>
>>> which monitors simply the dhcp traffic and automatically add the 
>>> relevant rules to ebtables. 
> 
> What happen in case of a malicious hacker, which send false dhcp response over the network ?

Where / at which point? Normally you have a trusted MAC and IP for DHCP
Server.

Then on the switches itself you also use DHCP Snooping. So how could an
attacker send wrong packets through the network?

I'm just afraid about the current situation which has no security at
all. So everybody can configure any ip he wants and send packets with it.

Stefan

> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
> Envoyé: Mercredi 4 Juin 2014 13:49:08 
> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
> 
> Am 04.06.2014 13:39, schrieb Alexandre DERUMIER: 
>>>> But dietmar correctly comments on how do we know the IP. Or just as a 
>>>> textfield set in the creation wizard? Makes this sence. 
>>
>> I think it depend how do you want to manage security. 
>> Do you want that only superadmin specify ip/mac allowed for example ? 
>> in this case, maybe in a external config is better. 
> 
> There's also: 
> https://github.com/michael-dev/ebtables-dhcpsnooping/ 
> 
> which monitors simply the dhcp traffic and automatically add the 
> relevant rules to ebtables. 
> 
> 
>> ----- Mail original ----- 
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
>> Envoyé: Mercredi 4 Juin 2014 13:19:22 
>> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
>>
>> Am 04.06.2014 13:10, schrieb Alexandre DERUMIER: 
>>>>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>>>>>>> It is then easy to implement such filter. 
>>>>
>>>> also a good idea. 
>>>>
>>>> Alexandre - any suggestions? 
>>>
>>> I like this one ;) also, could be use when we'll implement dhcp server inside proxmox. 
>>
>> But dietmar correctly comments on how do we know the IP. Or just as a 
>> textfield set in the creation wizard? Makes this sence. 
>>
>> What are the enable DHCP and MAC Filter Options in the Firewall Options 
>> Menu? 
>>
>> Stefan 
>>
>>> ----- Mail original ----- 
>>>
>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>> À: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
>>> Envoyé: Mercredi 4 Juin 2014 12:43:51 
>>> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
>>>
>>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>>>>> It is then easy to implement such filter. 
>>>
>>> also a good idea. 
>>>
>>> Alexandre - any suggestions? 
>>>
>>>
>>> Am 04.06.2014 12:19, schrieb Stefan Priebe - Profihost AG: 
>>>> Am 04.06.2014 12:10, schrieb Dietmar Maurer: 
>>>>>> i'm starting to deploy the pve-firewall code on a test cluster. 
>>>>>>
>>>>>> Something i really would like to have is dhcp snooping on the linux bridge so that 
>>>>>> VMs controlled by somebody else can't use fake / wrong ip adresses. 
>>>>>>
>>>>>> Is something like this possible with the current firewall code? 
>>>>>
>>>>> Not implemented, because we do not have/store a list of IPs. 
>>>>>
>>>>> One option would be to store the list of allowed IP in the VM network config: 
>>>>>
>>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>>>>>
>>>>> It is then easy to implement such filter. 
>>>>>
>>>>
>>>> For snooping there is no ip list neeeded. You just monitor DHCP ACK 
>>>> packets from specific MAC and IP and then generate the entries. 
>>>>
>>>> Stefan 
>>>> _______________________________________________ 
>>>> pve-devel mailing list 
>>>> pve-devel at pve.proxmox.com 
>>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>>>
>>> _______________________________________________ 
>>> pve-devel mailing list 
>>> pve-devel at pve.proxmox.com 
>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>>

More information about the pve-devel mailing list