[pve-devel] pve-firewall: dhcp snooping

Alexandre DERUMIER aderumier at odiso.com
Wed Jun 4 13:39:21 CEST 2014 

>>But dietmar correctly comments on how do we know the IP. Or just as a
>>textfield set in the creation wizard? Makes this sence.

I think it depend how do you want to manage security.
Do you want that only superadmin specify ip/mac allowed for example ?
in this case, maybe in a external config is better.


----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
Envoyé: Mercredi 4 Juin 2014 13:19:22 
Objet: Re: [pve-devel] pve-firewall: dhcp snooping 

Am 04.06.2014 13:10, schrieb Alexandre DERUMIER: 
>>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>>>>> It is then easy to implement such filter. 
>> 
>> also a good idea. 
>> 
>> Alexandre - any suggestions? 
> 
> I like this one ;) also, could be use when we'll implement dhcp server inside proxmox. 

But dietmar correctly comments on how do we know the IP. Or just as a 
textfield set in the creation wizard? Makes this sence. 

What are the enable DHCP and MAC Filter Options in the Firewall Options 
Menu? 

Stefan 

> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
> Envoyé: Mercredi 4 Juin 2014 12:43:51 
> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
> 
>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>>> It is then easy to implement such filter. 
> 
> also a good idea. 
> 
> Alexandre - any suggestions? 
> 
> 
> Am 04.06.2014 12:19, schrieb Stefan Priebe - Profihost AG: 
>> Am 04.06.2014 12:10, schrieb Dietmar Maurer: 
>>>> i'm starting to deploy the pve-firewall code on a test cluster. 
>>>> 
>>>> Something i really would like to have is dhcp snooping on the linux bridge so that 
>>>> VMs controlled by somebody else can't use fake / wrong ip adresses. 
>>>> 
>>>> Is something like this possible with the current firewall code? 
>>> 
>>> Not implemented, because we do not have/store a list of IPs. 
>>> 
>>> One option would be to store the list of allowed IP in the VM network config: 
>>> 
>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>>> 
>>> It is then easy to implement such filter. 
>>> 
>> 
>> For snooping there is no ip list neeeded. You just monitor DHCP ACK 
>> packets from specific MAC and IP and then generate the entries. 
>> 
>> Stefan 
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>

More information about the pve-devel mailing list