[pve-devel] pve-firewall : add ipfilter protection
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Wed Jun 11 17:33:27 CEST 2014
Am 11.06.2014 um 17:26 schrieb Dietmar Maurer <dietmar at proxmox.com>:
>>> 192.168.0.1
>>> 10.0.0.0/8
>>> ....
>>
>> Thanks - will try that but how to bind this to mac addressesv or network
>> interfaces? I mean a user can have multiple network interfaces.
>>
>> Maybe he is allowed to use IPA on net0 and IPB on net1 but not IPB on net0.
>
> I doubt this is a real problem, because If he use the IP on the wrong network, routing fails anyways?
There are several reasons why this could be a problem.
Think of private ip space may be there is the same networks in net0 and net1.
Or traffic on net1 is free of charge but traffic on net0 isn't someone could use a 2nd vm as a router.
Or someone can use a private ip range but only on net1 which is last limited to 10mb/s and not on net0 which is 10gb/s.
Solutions like openstack, libvirt or cloudstack always use ip <=> mac bindings / filters.
Stefan
More information about the pve-devel
mailing list