[pve-devel] firewall : cluster.fw [rules] section ?

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Fri Jul 4 11:24:40 CEST 2014


Am 04.07.2014 11:07, schrieb Stefan Priebe - Profihost AG:
> Am 04.07.2014 11:03, schrieb Alexandre DERUMIER:
>>>> Main problem is that iptables is only layer3. What about layer2 IP / mac 
>>>> spoofing? 
>>
>> yes, mac filtering need to be done like currently, in tapchain.
>>
>>
>> (layer2 IP ????)
> 
> Sorry i just meant mac spoofing.
> 
> We should have ebtables rules like these:
> # Drop packets that don't match the network's MAC Address
> -s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP
> # Prevent MAC spoofing
> -s ! <mac_address> -i <tap_device> -j DROP
> 
> Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to
> prevent other crazy packets.

Dietmar / Alexandre - any idea how and where to implement this? There is
no ebtables-save / ebtables-restore.

> Grüße
> Stefan
> 
>> ----- Mail original ----- 
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Vendredi 4 Juillet 2014 10:55:58 
>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
>>
>> Am 19.06.2014 07:50, schrieb Alexandre DERUMIER: 
>>>>> But I don't see anywhere in the code where theses rules are generate ? 
>>>
>>> I think we could create a PVEFW-cluster-IN|OUT chain, and put it at same level that blacklist. 
>>>
>>> (and maybe make blacklist ipset more generic, if we can create a rule with blacklist) 
>>>
>>>
>>>
>>>
>>> also, I just found that ipset provide a net,iface hash 
>>>
>>> ipset create foo hash:net,iface 
>>> ipset add foo 192.168.0/24,eth0 
>>> ipset add foo 10.1.0.0/16,eth1 
>>> ipset test foo 192.168.0/24,eth0 
>>>
>>>
>>> maybe can we use it to implement ipfilter at cluster level ? 
>>
>> Main problem is that iptables is only layer3. What about layer2 IP / mac 
>> spoofing? 
>>
>>
>> Stefan 
>>
>>> ----- Mail original ----- 
>>>
>>> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>> À: "pve-devel" <pve-devel at pve.proxmox.com> 
>>> Envoyé: Jeudi 19 Juin 2014 06:09:15 
>>> Objet: [pve-devel] firewall : cluster.fw [rules] section ? 
>>>
>>> Hi, 
>>> I see in cluster.fw a [rules] section, 
>>>
>>> But I don't see anywhere in the code where theses rules are generate ? 
>>> _______________________________________________ 
>>> pve-devel mailing list 
>>> pve-devel at pve.proxmox.com 
>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>> _______________________________________________ 
>>> pve-devel mailing list 
>>> pve-devel at pve.proxmox.com 
>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>>


More information about the pve-devel mailing list