[pve-devel] pve-firewall: dhcp snooping

Alexandre DERUMIER aderumier at odiso.com
Wed Jun 4 13:58:31 CEST 2014 

>>There's also: 
>>https://github.com/michael-dev/ebtables-dhcpsnooping/ 
>>
>>which monitors simply the dhcp traffic and automatically add the 
>>relevant rules to ebtables. 

What happen in case of a malicious hacker, which send false dhcp response over the network ?
----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
Envoyé: Mercredi 4 Juin 2014 13:49:08 
Objet: Re: [pve-devel] pve-firewall: dhcp snooping 

Am 04.06.2014 13:39, schrieb Alexandre DERUMIER: 
>>> But dietmar correctly comments on how do we know the IP. Or just as a 
>>> textfield set in the creation wizard? Makes this sence. 
> 
> I think it depend how do you want to manage security. 
> Do you want that only superadmin specify ip/mac allowed for example ? 
> in this case, maybe in a external config is better. 

There's also: 
https://github.com/michael-dev/ebtables-dhcpsnooping/ 

which monitors simply the dhcp traffic and automatically add the 
relevant rules to ebtables. 


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
> Envoyé: Mercredi 4 Juin 2014 13:19:22 
> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
> 
> Am 04.06.2014 13:10, schrieb Alexandre DERUMIER: 
>>>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>>>>>> It is then easy to implement such filter. 
>>> 
>>> also a good idea. 
>>> 
>>> Alexandre - any suggestions? 
>> 
>> I like this one ;) also, could be use when we'll implement dhcp server inside proxmox. 
> 
> But dietmar correctly comments on how do we know the IP. Or just as a 
> textfield set in the creation wizard? Makes this sence. 
> 
> What are the enable DHCP and MAC Filter Options in the Firewall Options 
> Menu? 
> 
> Stefan 
> 
>> ----- Mail original ----- 
>> 
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
>> Envoyé: Mercredi 4 Juin 2014 12:43:51 
>> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
>> 
>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>>>> It is then easy to implement such filter. 
>> 
>> also a good idea. 
>> 
>> Alexandre - any suggestions? 
>> 
>> 
>> Am 04.06.2014 12:19, schrieb Stefan Priebe - Profihost AG: 
>>> Am 04.06.2014 12:10, schrieb Dietmar Maurer: 
>>>>> i'm starting to deploy the pve-firewall code on a test cluster. 
>>>>> 
>>>>> Something i really would like to have is dhcp snooping on the linux bridge so that 
>>>>> VMs controlled by somebody else can't use fake / wrong ip adresses. 
>>>>> 
>>>>> Is something like this possible with the current firewall code? 
>>>> 
>>>> Not implemented, because we do not have/store a list of IPs. 
>>>> 
>>>> One option would be to store the list of allowed IP in the VM network config: 
>>>> 
>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 
>>>> 
>>>> It is then easy to implement such filter. 
>>>> 
>>> 
>>> For snooping there is no ip list neeeded. You just monitor DHCP ACK 
>>> packets from specific MAC and IP and then generate the entries. 
>>> 
>>> Stefan 
>>> _______________________________________________ 
>>> pve-devel mailing list 
>>> pve-devel at pve.proxmox.com 
>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>> 
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>

More information about the pve-devel mailing list