[pve-devel] pve-firewall: dhcp snooping

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Wed Jun 4 13:49:08 CEST 2014


Am 04.06.2014 13:39, schrieb Alexandre DERUMIER:
>>> But dietmar correctly comments on how do we know the IP. Or just as a
>>> textfield set in the creation wizard? Makes this sence.
> 
> I think it depend how do you want to manage security.
> Do you want that only superadmin specify ip/mac allowed for example ?
> in this case, maybe in a external config is better.

There's also:
https://github.com/michael-dev/ebtables-dhcpsnooping/

which monitors simply the dhcp traffic and automatically add the
relevant rules to ebtables.


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
> Envoyé: Mercredi 4 Juin 2014 13:19:22 
> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
> 
> Am 04.06.2014 13:10, schrieb Alexandre DERUMIER: 
>>>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>>>>>> It is then easy to implement such filter. 
>>>
>>> also a good idea. 
>>>
>>> Alexandre - any suggestions? 
>>
>> I like this one ;) also, could be use when we'll implement dhcp server inside proxmox. 
> 
> But dietmar correctly comments on how do we know the IP. Or just as a 
> textfield set in the creation wizard? Makes this sence. 
> 
> What are the enable DHCP and MAC Filter Options in the Firewall Options 
> Menu? 
> 
> Stefan 
> 
>> ----- Mail original ----- 
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
>> Envoyé: Mercredi 4 Juin 2014 12:43:51 
>> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
>>
>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>>>> It is then easy to implement such filter. 
>>
>> also a good idea. 
>>
>> Alexandre - any suggestions? 
>>
>>
>> Am 04.06.2014 12:19, schrieb Stefan Priebe - Profihost AG: 
>>> Am 04.06.2014 12:10, schrieb Dietmar Maurer: 
>>>>> i'm starting to deploy the pve-firewall code on a test cluster. 
>>>>>
>>>>> Something i really would like to have is dhcp snooping on the linux bridge so that 
>>>>> VMs controlled by somebody else can't use fake / wrong ip adresses. 
>>>>>
>>>>> Is something like this possible with the current firewall code? 
>>>>
>>>> Not implemented, because we do not have/store a list of IPs. 
>>>>
>>>> One option would be to store the list of allowed IP in the VM network config: 
>>>>
>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>>>>
>>>> It is then easy to implement such filter. 
>>>>
>>>
>>> For snooping there is no ip list neeeded. You just monitor DHCP ACK 
>>> packets from specific MAC and IP and then generate the entries. 
>>>
>>> Stefan 
>>> _______________________________________________ 
>>> pve-devel mailing list 
>>> pve-devel at pve.proxmox.com 
>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>>
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>



More information about the pve-devel mailing list