[pve-devel] firewall : cluster.fw [rules] section ?

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Fri Jul 4 11:07:38 CEST 2014


Am 04.07.2014 11:03, schrieb Alexandre DERUMIER:
>>> Main problem is that iptables is only layer3. What about layer2 IP / mac 
>>> spoofing? 
> 
> yes, mac filtering need to be done like currently, in tapchain.
> 
> 
> (layer2 IP ????)

Sorry i just meant mac spoofing.

We should have ebtables rules like these:
# Drop packets that don't match the network's MAC Address
-s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP
# Prevent MAC spoofing
-s ! <mac_address> -i <tap_device> -j DROP

Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to
prevent other crazy packets.

Grüße
Stefan

> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Vendredi 4 Juillet 2014 10:55:58 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
> Am 19.06.2014 07:50, schrieb Alexandre DERUMIER: 
>>>> But I don't see anywhere in the code where theses rules are generate ? 
>>
>> I think we could create a PVEFW-cluster-IN|OUT chain, and put it at same level that blacklist. 
>>
>> (and maybe make blacklist ipset more generic, if we can create a rule with blacklist) 
>>
>>
>>
>>
>> also, I just found that ipset provide a net,iface hash 
>>
>> ipset create foo hash:net,iface 
>> ipset add foo 192.168.0/24,eth0 
>> ipset add foo 10.1.0.0/16,eth1 
>> ipset test foo 192.168.0/24,eth0 
>>
>>
>> maybe can we use it to implement ipfilter at cluster level ? 
> 
> Main problem is that iptables is only layer3. What about layer2 IP / mac 
> spoofing? 
> 
> 
> Stefan 
> 
>> ----- Mail original ----- 
>>
>> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> À: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Jeudi 19 Juin 2014 06:09:15 
>> Objet: [pve-devel] firewall : cluster.fw [rules] section ? 
>>
>> Hi, 
>> I see in cluster.fw a [rules] section, 
>>
>> But I don't see anywhere in the code where theses rules are generate ? 
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>


More information about the pve-devel mailing list