[pve-devel] pve-firewall: dhcp snooping

Alexandre DERUMIER aderumier at odiso.com
Thu Jun 5 10:15:34 CEST 2014 

>>This is cool and great but we should also think of the possibility -
>>that the use cannot freely decide which IP he wants to use and we still
>>want to have the above protection.

I think more something like:

onlysuperadmin define ip pools, with ip inside.
then choose which user is allowed to use which pool.

and user can only use ips of his pool.


(or do you want to force a user to use a specific ip, for a specific vm ?)



----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer" <dietmar at proxmox.com> 
Envoyé: Jeudi 5 Juin 2014 10:05:25 
Objet: Re: [pve-devel] pve-firewall: dhcp snooping 

Am 05.06.2014 09:34, schrieb Alexandre DERUMIER: 
>>> Does that mean we insert the VM IP into <VMID>.fw ? What would be the 
>>> format? Who is able to edit this one. 
> 
> net0 : .....,ips=192.168.0.1,192.168.0.2 
> 
> (like this it's possible to have multiple ip by interface) 
> 
> 
> add an option in firewall like : ipspoofingprotection : 1|0 

sounds great. 

>>> I think the VM owner should be able to insert / udpate FW rules but 
>>> should NOT be able to change the allowed IP. Is this assumption correct? 
> 
> Diemar would like to implement some kind of "ip pools", 
> you defined pools of ips, then give user permission to use theses ips. 
> then user can assign theses ip in vms of his choice 

This is cool and great but we should also think of the possibility - 
that the use cannot freely decide which IP he wants to use and we still 
want to have the above protection. 

Stefan 


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Jeudi 5 Juin 2014 08:29:24 
> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
> 
> 
> Am 05.06.2014 07:44, schrieb Alexandre DERUMIER: 
>> 
>>>> something like: 
>>>> 
>>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
>>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 
>> 
>> I can make a patch if you want. 
> 
> Would be great - but i still don't know how this would work. 
> 
> Does that mean we insert the VM IP into <VMID>.fw ? What would be the 
> format? Who is able to edit this one. 
> 
> I think the VM owner should be able to insert / udpate FW rules but 
> should NOT be able to change the allowed IP. Is this assumption correct? 
> 
> Stefan 
> 
>> ----- Mail original ----- 
>> 
>> De: "Dietmar Maurer" <dietmar at proxmox.com> 
>> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: pve-devel at pve.proxmox.com 
>> Envoyé: Mercredi 4 Juin 2014 14:50:53 
>> Objet: RE: [pve-devel] pve-firewall: dhcp snooping 
>> 
>>>> The 'allowed_ips' ipset idea is very easy to implement ... 
>>>> 
>>> 
>>> OK so adding option IP to each netX. 
>> 
>> No, I talk about an IPSet defined inside the <VMID>.fw file. 
>> 
>>> Just don't know how to implement the 
>>> firewall rule to only allow packets from this MAC and IP combination. 
>> 
>> something like: 
>> 
>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 
>>

More information about the pve-devel mailing list