[pve-devel] pve-firewall: dhcp snooping

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Thu Jun 5 08:29:24 CEST 2014


Am 05.06.2014 07:44, schrieb Alexandre DERUMIER:
> 
>>> something like: 
>>>
>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 
> 
> I can make a patch if you want.

Would be great - but i still don't know how this would work.

Does that mean we insert the VM IP into <VMID>.fw ? What would be the
format? Who is able to edit this one.

I think the VM owner should be able to insert / udpate FW rules but
should NOT be able to change the allowed IP. Is this assumption correct?

Stefan

> ----- Mail original ----- 
> 
> De: "Dietmar Maurer" <dietmar at proxmox.com> 
> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Mercredi 4 Juin 2014 14:50:53 
> Objet: RE: [pve-devel] pve-firewall: dhcp snooping 
> 
>>> The 'allowed_ips' ipset idea is very easy to implement ... 
>>>
>>
>> OK so adding option IP to each netX. 
> 
> No, I talk about an IPSet defined inside the <VMID>.fw file. 
> 
>> Just don't know how to implement the 
>> firewall rule to only allow packets from this MAC and IP combination. 
> 
> something like: 
> 
> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 
> 



More information about the pve-devel mailing list