[pve-devel] firewall : cluster.fw [rules] section ?
Alexandre DERUMIER
aderumier at odiso.com
Fri Jul 4 14:14:03 CEST 2014
>>For example:
>>layer2filter_protocls: ARP,IPV4,IPV6
>>
>>so any other LAYER2 protocol get's dropped.
Ok, no problem.
supported protocols are in
cat /etc/ethertypes
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Vendredi 4 Juillet 2014 13:50:43
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
Am 04.07.2014 13:45, schrieb Alexandre DERUMIER:
>>> What about ARP traffic? Smoeone can claim he is another mac in ARP. Even
>>> though ip traffic will then never reach the VM he still can tell via arp
>>> that this vm is for example the GW.
>
> Oh, ok, you are right !
>
> I'll make a patch for ebtables,it should be easy to implement.
That would be really great.
It would be really nice if we can also define a set of protocols allowed
for this VM.
For example:
layer2filter_protocls: ARP,IPV4,IPV6
so any other LAYER2 protocol get's dropped.
Stefan
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Vendredi 4 Juillet 2014 11:28:40
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
>
>
> Am 04.07.2014 11:24, schrieb Alexandre DERUMIER:
>>>> Sorry i just meant mac spoofing.
>>>>
>>>> We should have ebtables rules like these:
>>>> # Drop packets that don't match the network's MAC Address
>>>> -s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP
>>>> # Prevent MAC spoofing
>>>> -s ! <mac_address> -i <tap_device> -j DROP
>>>>
>>>> Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to
>>>> prevent other crazy packets.
>>
>> What is the advantage to do it in ebtables vs iptables ?
>> http://ebtables.sourceforge.net/examples/basic.html#ex_anti-spoof
>>
>> (I tell the question, because if you have a lot of mac to filter,
>> in the worst case, you need to check all the ebtables rules, and for each packet.
>
> This works as long as you talk about IPv4 or IPv6 Traffic. What about
> non ip traffic? iptables can only handle layer 3 traffic.
>
> What about ARP traffic? Smoeone can claim he is another mac in ARP. Even
> though ip traffic will then never reach the VM he still can tell via arp
> that this vm is for example the GW.
>
>> also ,with iptables, when the connection is established, we don't check the mac address.
>> (don't known if it can be a security problem)
>
> Stefan
>
>
>>
>> ----- Mail original -----
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
>> Envoyé: Vendredi 4 Juillet 2014 11:07:38
>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
>>
>> Am 04.07.2014 11:03, schrieb Alexandre DERUMIER:
>>>>> Main problem is that iptables is only layer3. What about layer2 IP / mac
>>>>> spoofing?
>>>
>>> yes, mac filtering need to be done like currently, in tapchain.
>>>
>>>
>>> (layer2 IP ????)
>>
>> Sorry i just meant mac spoofing.
>>
>> We should have ebtables rules like these:
>> # Drop packets that don't match the network's MAC Address
>> -s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP
>> # Prevent MAC spoofing
>> -s ! <mac_address> -i <tap_device> -j DROP
>>
>> Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to
>> prevent other crazy packets.
>>
>> Grüße
>> Stefan
>>
>>> ----- Mail original -----
>>>
>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com>
>>> Envoyé: Vendredi 4 Juillet 2014 10:55:58
>>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
>>>
>>> Am 19.06.2014 07:50, schrieb Alexandre DERUMIER:
>>>>>> But I don't see anywhere in the code where theses rules are generate ?
>>>>
>>>> I think we could create a PVEFW-cluster-IN|OUT chain, and put it at same level that blacklist.
>>>>
>>>> (and maybe make blacklist ipset more generic, if we can create a rule with blacklist)
>>>>
>>>>
>>>>
>>>>
>>>> also, I just found that ipset provide a net,iface hash
>>>>
>>>> ipset create foo hash:net,iface
>>>> ipset add foo 192.168.0/24,eth0
>>>> ipset add foo 10.1.0.0/16,eth1
>>>> ipset test foo 192.168.0/24,eth0
>>>>
>>>>
>>>> maybe can we use it to implement ipfilter at cluster level ?
>>>
>>> Main problem is that iptables is only layer3. What about layer2 IP / mac
>>> spoofing?
>>>
>>>
>>> Stefan
>>>
>>>> ----- Mail original -----
>>>>
>>>> De: "Alexandre DERUMIER" <aderumier at odiso.com>
>>>> À: "pve-devel" <pve-devel at pve.proxmox.com>
>>>> Envoyé: Jeudi 19 Juin 2014 06:09:15
>>>> Objet: [pve-devel] firewall : cluster.fw [rules] section ?
>>>>
>>>> Hi,
>>>> I see in cluster.fw a [rules] section,
>>>>
>>>> But I don't see anywhere in the code where theses rules are generate ?
>>>> _______________________________________________
>>>> pve-devel mailing list
>>>> pve-devel at pve.proxmox.com
>>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>>> _______________________________________________
>>>> pve-devel mailing list
>>>> pve-devel at pve.proxmox.com
>>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>>>
More information about the pve-devel
mailing list