[pve-devel] pve-firewall: dhcp snooping

Alexandre DERUMIER aderumier at odiso.com
Thu Jun 5 13:20:30 CEST 2014 

>>I would prefer a solution which covers both. 

I'll make the patch for the ips in vmid.conf and firewall protection.

I think Diemar have more ideas for implement permissions ;)


----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer" <dietmar at proxmox.com> 
Envoyé: Jeudi 5 Juin 2014 10:27:41 
Objet: Re: [pve-devel] pve-firewall: dhcp snooping 

Am 05.06.2014 10:15, schrieb Alexandre DERUMIER: 
>>> This is cool and great but we should also think of the possibility - 
>>> that the use cannot freely decide which IP he wants to use and we still 
>>> want to have the above protection. 
> 
> I think more something like: 
> 
> onlysuperadmin define ip pools, with ip inside. 
> then choose which user is allowed to use which pool. 
> 
> and user can only use ips of his pool. 
> (or do you want to force a user to use a specific ip, for a specific 
> vm ?) 

Yes this is great and might be good for several use cases. But if you 
think of users having only 1 vm and only beeing allowed to use one ip it 
is a lot of work to create pools for each. 

I would prefer a solution which covers both. 

Stefan 

> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer" <dietmar at proxmox.com> 
> Envoyé: Jeudi 5 Juin 2014 10:05:25 
> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
> 
> Am 05.06.2014 09:34, schrieb Alexandre DERUMIER: 
>>>> Does that mean we insert the VM IP into <VMID>.fw ? What would be the 
>>>> format? Who is able to edit this one. 
>> 
>> net0 : .....,ips=192.168.0.1,192.168.0.2 
>> 
>> (like this it's possible to have multiple ip by interface) 
>> 
>> 
>> add an option in firewall like : ipspoofingprotection : 1|0 
> 
> sounds great. 
> 
>>>> I think the VM owner should be able to insert / udpate FW rules but 
>>>> should NOT be able to change the allowed IP. Is this assumption correct? 
>> 
>> Diemar would like to implement some kind of "ip pools", 
>> you defined pools of ips, then give user permission to use theses ips. 
>> then user can assign theses ip in vms of his choice 
> 
> This is cool and great but we should also think of the possibility - 
> that the use cannot freely decide which IP he wants to use and we still 
> want to have the above protection. 
> 
> Stefan 
> 
> 
>> ----- Mail original ----- 
>> 
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
>> Cc: pve-devel at pve.proxmox.com 
>> Envoyé: Jeudi 5 Juin 2014 08:29:24 
>> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
>> 
>> 
>> Am 05.06.2014 07:44, schrieb Alexandre DERUMIER: 
>>> 
>>>>> something like: 
>>>>> 
>>>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
>>>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 
>>> 
>>> I can make a patch if you want. 
>> 
>> Would be great - but i still don't know how this would work. 
>> 
>> Does that mean we insert the VM IP into <VMID>.fw ? What would be the 
>> format? Who is able to edit this one. 
>> 
>> I think the VM owner should be able to insert / udpate FW rules but 
>> should NOT be able to change the allowed IP. Is this assumption correct? 
>> 
>> Stefan 
>> 
>>> ----- Mail original ----- 
>>> 
>>> De: "Dietmar Maurer" <dietmar at proxmox.com> 
>>> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com> 
>>> Cc: pve-devel at pve.proxmox.com 
>>> Envoyé: Mercredi 4 Juin 2014 14:50:53 
>>> Objet: RE: [pve-devel] pve-firewall: dhcp snooping 
>>> 
>>>>> The 'allowed_ips' ipset idea is very easy to implement ... 
>>>>> 
>>>> 
>>>> OK so adding option IP to each netX. 
>>> 
>>> No, I talk about an IPSet defined inside the <VMID>.fw file. 
>>> 
>>>> Just don't know how to implement the 
>>>> firewall rule to only allow packets from this MAC and IP combination. 
>>> 
>>> something like: 
>>> 
>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 
>>>

More information about the pve-devel mailing list