[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Fri Jul 4 13:45:46 CEST 2014


>>What about ARP traffic? Smoeone can claim he is another mac in ARP. Even 
>>though ip traffic will then never reach the VM he still can tell via arp 
>>that this vm is for example the GW. 

Oh, ok, you are right !

I'll make a patch for ebtables,it  should be easy to implement.



----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Vendredi 4 Juillet 2014 11:28:40 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 


Am 04.07.2014 11:24, schrieb Alexandre DERUMIER: 
>>> Sorry i just meant mac spoofing. 
>>> 
>>> We should have ebtables rules like these: 
>>> # Drop packets that don't match the network's MAC Address 
>>> -s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP 
>>> # Prevent MAC spoofing 
>>> -s ! <mac_address> -i <tap_device> -j DROP 
>>> 
>>> Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to 
>>> prevent other crazy packets. 
> 
> What is the advantage to do it in ebtables vs iptables ? 
> http://ebtables.sourceforge.net/examples/basic.html#ex_anti-spoof 
> 
> (I tell the question, because if you have a lot of mac to filter, 
> in the worst case, you need to check all the ebtables rules, and for each packet. 

This works as long as you talk about IPv4 or IPv6 Traffic. What about 
non ip traffic? iptables can only handle layer 3 traffic. 

What about ARP traffic? Smoeone can claim he is another mac in ARP. Even 
though ip traffic will then never reach the VM he still can tell via arp 
that this vm is for example the GW. 

> also ,with iptables, when the connection is established, we don't check the mac address. 
> (don't known if it can be a security problem) 

Stefan 


> 
> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Vendredi 4 Juillet 2014 11:07:38 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
> Am 04.07.2014 11:03, schrieb Alexandre DERUMIER: 
>>>> Main problem is that iptables is only layer3. What about layer2 IP / mac 
>>>> spoofing? 
>> 
>> yes, mac filtering need to be done like currently, in tapchain. 
>> 
>> 
>> (layer2 IP ????) 
> 
> Sorry i just meant mac spoofing. 
> 
> We should have ebtables rules like these: 
> # Drop packets that don't match the network's MAC Address 
> -s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP 
> # Prevent MAC spoofing 
> -s ! <mac_address> -i <tap_device> -j DROP 
> 
> Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to 
> prevent other crazy packets. 
> 
> Grüße 
> Stefan 
> 
>> ----- Mail original ----- 
>> 
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Vendredi 4 Juillet 2014 10:55:58 
>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
>> 
>> Am 19.06.2014 07:50, schrieb Alexandre DERUMIER: 
>>>>> But I don't see anywhere in the code where theses rules are generate ? 
>>> 
>>> I think we could create a PVEFW-cluster-IN|OUT chain, and put it at same level that blacklist. 
>>> 
>>> (and maybe make blacklist ipset more generic, if we can create a rule with blacklist) 
>>> 
>>> 
>>> 
>>> 
>>> also, I just found that ipset provide a net,iface hash 
>>> 
>>> ipset create foo hash:net,iface 
>>> ipset add foo 192.168.0/24,eth0 
>>> ipset add foo 10.1.0.0/16,eth1 
>>> ipset test foo 192.168.0/24,eth0 
>>> 
>>> 
>>> maybe can we use it to implement ipfilter at cluster level ? 
>> 
>> Main problem is that iptables is only layer3. What about layer2 IP / mac 
>> spoofing? 
>> 
>> 
>> Stefan 
>> 
>>> ----- Mail original ----- 
>>> 
>>> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>> À: "pve-devel" <pve-devel at pve.proxmox.com> 
>>> Envoyé: Jeudi 19 Juin 2014 06:09:15 
>>> Objet: [pve-devel] firewall : cluster.fw [rules] section ? 
>>> 
>>> Hi, 
>>> I see in cluster.fw a [rules] section, 
>>> 
>>> But I don't see anywhere in the code where theses rules are generate ? 
>>> _______________________________________________ 
>>> pve-devel mailing list 
>>> pve-devel at pve.proxmox.com 
>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>> _______________________________________________ 
>>> pve-devel mailing list 
>>> pve-devel at pve.proxmox.com 
>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>> 


More information about the pve-devel mailing list