[pve-devel] pve-firewall: dhcp snooping

Alexandre DERUMIER aderumier at odiso.com
Thu Jun 5 09:34:56 CEST 2014 

>>Does that mean we insert the VM IP into <VMID>.fw ? What would be the 
>>format? Who is able to edit this one. 

net0 : .....,ips=192.168.0.1,192.168.0.2  

(like this it's possible to have multiple ip by interface)


add an option in firewall like : ipspoofingprotection : 1|0

>>I think the VM owner should be able to insert / udpate FW rules but 
>>should NOT be able to change the allowed IP. Is this assumption correct? 

Diemar would like to implement some kind of "ip pools", 
you defined pools of ips, then give user permission to use theses ips.
then user can assign theses ip in vms of his choice



----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Jeudi 5 Juin 2014 08:29:24 
Objet: Re: [pve-devel] pve-firewall: dhcp snooping 


Am 05.06.2014 07:44, schrieb Alexandre DERUMIER: 
> 
>>> something like: 
>>> 
>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 
> 
> I can make a patch if you want. 

Would be great - but i still don't know how this would work. 

Does that mean we insert the VM IP into <VMID>.fw ? What would be the 
format? Who is able to edit this one. 

I think the VM owner should be able to insert / udpate FW rules but 
should NOT be able to change the allowed IP. Is this assumption correct? 

Stefan 

> ----- Mail original ----- 
> 
> De: "Dietmar Maurer" <dietmar at proxmox.com> 
> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Mercredi 4 Juin 2014 14:50:53 
> Objet: RE: [pve-devel] pve-firewall: dhcp snooping 
> 
>>> The 'allowed_ips' ipset idea is very easy to implement ... 
>>> 
>> 
>> OK so adding option IP to each netX. 
> 
> No, I talk about an IPSet defined inside the <VMID>.fw file. 
> 
>> Just don't know how to implement the 
>> firewall rule to only allow packets from this MAC and IP combination. 
> 
> something like: 
> 
> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 
>

More information about the pve-devel mailing list