[pve-devel] pve-firewall: dhcp snooping

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Thu Jun 5 10:05:25 CEST 2014 

Am 05.06.2014 09:34, schrieb Alexandre DERUMIER:
>>> Does that mean we insert the VM IP into <VMID>.fw ? What would be the 
>>> format? Who is able to edit this one. 
> 
> net0 : .....,ips=192.168.0.1,192.168.0.2  
> 
> (like this it's possible to have multiple ip by interface)
> 
> 
> add an option in firewall like : ipspoofingprotection : 1|0

sounds great.

>>> I think the VM owner should be able to insert / udpate FW rules but 
>>> should NOT be able to change the allowed IP. Is this assumption correct? 
> 
> Diemar would like to implement some kind of "ip pools", 
> you defined pools of ips, then give user permission to use theses ips.
> then user can assign theses ip in vms of his choice

This is cool and great but we should also think of the possibility -
that the use cannot freely decide which IP he wants to use and we still
want to have the above protection.

Stefan


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Jeudi 5 Juin 2014 08:29:24 
> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
> 
> 
> Am 05.06.2014 07:44, schrieb Alexandre DERUMIER: 
>>
>>>> something like: 
>>>>
>>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
>>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 
>>
>> I can make a patch if you want. 
> 
> Would be great - but i still don't know how this would work. 
> 
> Does that mean we insert the VM IP into <VMID>.fw ? What would be the 
> format? Who is able to edit this one. 
> 
> I think the VM owner should be able to insert / udpate FW rules but 
> should NOT be able to change the allowed IP. Is this assumption correct? 
> 
> Stefan 
> 
>> ----- Mail original ----- 
>>
>> De: "Dietmar Maurer" <dietmar at proxmox.com> 
>> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: pve-devel at pve.proxmox.com 
>> Envoyé: Mercredi 4 Juin 2014 14:50:53 
>> Objet: RE: [pve-devel] pve-firewall: dhcp snooping 
>>
>>>> The 'allowed_ips' ipset idea is very easy to implement ... 
>>>>
>>>
>>> OK so adding option IP to each netX. 
>>
>> No, I talk about an IPSet defined inside the <VMID>.fw file. 
>>
>>> Just don't know how to implement the 
>>> firewall rule to only allow packets from this MAC and IP combination. 
>>
>> something like: 
>>
>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 
>>

More information about the pve-devel mailing list