[pve-devel] pve-firewall: dhcp snooping
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Thu Jun 5 10:27:41 CEST 2014
Am 05.06.2014 10:15, schrieb Alexandre DERUMIER:
>>> This is cool and great but we should also think of the possibility -
>>> that the use cannot freely decide which IP he wants to use and we still
>>> want to have the above protection.
>
> I think more something like:
>
> onlysuperadmin define ip pools, with ip inside.
> then choose which user is allowed to use which pool.
>
> and user can only use ips of his pool.
> (or do you want to force a user to use a specific ip, for a specific
> vm ?)
Yes this is great and might be good for several use cases. But if you
think of users having only 1 vm and only beeing allowed to use one ip it
is a lot of work to create pools for each.
I would prefer a solution which covers both.
Stefan
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer" <dietmar at proxmox.com>
> Envoyé: Jeudi 5 Juin 2014 10:05:25
> Objet: Re: [pve-devel] pve-firewall: dhcp snooping
>
> Am 05.06.2014 09:34, schrieb Alexandre DERUMIER:
>>>> Does that mean we insert the VM IP into <VMID>.fw ? What would be the
>>>> format? Who is able to edit this one.
>>
>> net0 : .....,ips=192.168.0.1,192.168.0.2
>>
>> (like this it's possible to have multiple ip by interface)
>>
>>
>> add an option in firewall like : ipspoofingprotection : 1|0
>
> sounds great.
>
>>>> I think the VM owner should be able to insert / udpate FW rules but
>>>> should NOT be able to change the allowed IP. Is this assumption correct?
>>
>> Diemar would like to implement some kind of "ip pools",
>> you defined pools of ips, then give user permission to use theses ips.
>> then user can assign theses ip in vms of his choice
>
> This is cool and great but we should also think of the possibility -
> that the use cannot freely decide which IP he wants to use and we still
> want to have the above protection.
>
> Stefan
>
>
>> ----- Mail original -----
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com>
>> Cc: pve-devel at pve.proxmox.com
>> Envoyé: Jeudi 5 Juin 2014 08:29:24
>> Objet: Re: [pve-devel] pve-firewall: dhcp snooping
>>
>>
>> Am 05.06.2014 07:44, schrieb Alexandre DERUMIER:
>>>
>>>>> something like:
>>>>>
>>>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this
>>>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP
>>>
>>> I can make a patch if you want.
>>
>> Would be great - but i still don't know how this would work.
>>
>> Does that mean we insert the VM IP into <VMID>.fw ? What would be the
>> format? Who is able to edit this one.
>>
>> I think the VM owner should be able to insert / udpate FW rules but
>> should NOT be able to change the allowed IP. Is this assumption correct?
>>
>> Stefan
>>
>>> ----- Mail original -----
>>>
>>> De: "Dietmar Maurer" <dietmar at proxmox.com>
>>> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com>
>>> Cc: pve-devel at pve.proxmox.com
>>> Envoyé: Mercredi 4 Juin 2014 14:50:53
>>> Objet: RE: [pve-devel] pve-firewall: dhcp snooping
>>>
>>>>> The 'allowed_ips' ipset idea is very easy to implement ...
>>>>>
>>>>
>>>> OK so adding option IP to each netX.
>>>
>>> No, I talk about an IPSet defined inside the <VMID>.fw file.
>>>
>>>> Just don't know how to implement the
>>>> firewall rule to only allow packets from this MAC and IP combination.
>>>
>>> something like:
>>>
>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this
>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP
>>>
More information about the pve-devel
mailing list