[pve-devel] pve-firewall: dhcp snooping

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Tue Jun 10 08:45:37 CEST 2014


Am 10.06.2014 08:31, schrieb Alexandre DERUMIER:
> Hi,
> I'll send patches this week, I was too busy last week.

Thanks - i'm looking forward to those. I hope we can find a way to make
VMs network stuff more secure at all places. libvirt does it with those:
http://libvirt.org/formatnwfilter.html

Greets,
Stefan

> Alexandre
> 
> ----- Mail original ----- 
> 
> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Jeudi 5 Juin 2014 13:20:30 
> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
> 
>>> I would prefer a solution which covers both. 
> 
> I'll make the patch for the ips in vmid.conf and firewall protection. 
> 
> I think Diemar have more ideas for implement permissions ;) 
> 
> 
> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer" <dietmar at proxmox.com> 
> Envoyé: Jeudi 5 Juin 2014 10:27:41 
> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
> 
> Am 05.06.2014 10:15, schrieb Alexandre DERUMIER: 
>>>> This is cool and great but we should also think of the possibility - 
>>>> that the use cannot freely decide which IP he wants to use and we still 
>>>> want to have the above protection. 
>>
>> I think more something like: 
>>
>> onlysuperadmin define ip pools, with ip inside. 
>> then choose which user is allowed to use which pool. 
>>
>> and user can only use ips of his pool. 
>> (or do you want to force a user to use a specific ip, for a specific 
>> vm ?) 
> 
> Yes this is great and might be good for several use cases. But if you 
> think of users having only 1 vm and only beeing allowed to use one ip it 
> is a lot of work to create pools for each. 
> 
> I would prefer a solution which covers both. 
> 
> Stefan 
> 
>> ----- Mail original ----- 
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer" <dietmar at proxmox.com> 
>> Envoyé: Jeudi 5 Juin 2014 10:05:25 
>> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
>>
>> Am 05.06.2014 09:34, schrieb Alexandre DERUMIER: 
>>>>> Does that mean we insert the VM IP into <VMID>.fw ? What would be the 
>>>>> format? Who is able to edit this one. 
>>>
>>> net0 : .....,ips=192.168.0.1,192.168.0.2 
>>>
>>> (like this it's possible to have multiple ip by interface) 
>>>
>>>
>>> add an option in firewall like : ipspoofingprotection : 1|0 
>>
>> sounds great. 
>>
>>>>> I think the VM owner should be able to insert / udpate FW rules but 
>>>>> should NOT be able to change the allowed IP. Is this assumption correct? 
>>>
>>> Diemar would like to implement some kind of "ip pools", 
>>> you defined pools of ips, then give user permission to use theses ips. 
>>> then user can assign theses ip in vms of his choice 
>>
>> This is cool and great but we should also think of the possibility - 
>> that the use cannot freely decide which IP he wants to use and we still 
>> want to have the above protection. 
>>
>> Stefan 
>>
>>
>>> ----- Mail original ----- 
>>>
>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
>>> Cc: pve-devel at pve.proxmox.com 
>>> Envoyé: Jeudi 5 Juin 2014 08:29:24 
>>> Objet: Re: [pve-devel] pve-firewall: dhcp snooping 
>>>
>>>
>>> Am 05.06.2014 07:44, schrieb Alexandre DERUMIER: 
>>>>
>>>>>> something like: 
>>>>>>
>>>>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
>>>>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 
>>>>
>>>> I can make a patch if you want. 
>>>
>>> Would be great - but i still don't know how this would work. 
>>>
>>> Does that mean we insert the VM IP into <VMID>.fw ? What would be the 
>>> format? Who is able to edit this one. 
>>>
>>> I think the VM owner should be able to insert / udpate FW rules but 
>>> should NOT be able to change the allowed IP. Is this assumption correct? 
>>>
>>> Stefan 
>>>
>>>> ----- Mail original ----- 
>>>>
>>>> De: "Dietmar Maurer" <dietmar at proxmox.com> 
>>>> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com> 
>>>> Cc: pve-devel at pve.proxmox.com 
>>>> Envoyé: Mercredi 4 Juin 2014 14:50:53 
>>>> Objet: RE: [pve-devel] pve-firewall: dhcp snooping 
>>>>
>>>>>> The 'allowed_ips' ipset idea is very easy to implement ... 
>>>>>>
>>>>>
>>>>> OK so adding option IP to each netX. 
>>>>
>>>> No, I talk about an IPSet defined inside the <VMID>.fw file. 
>>>>
>>>>> Just don't know how to implement the 
>>>>> firewall rule to only allow packets from this MAC and IP combination. 
>>>>
>>>> something like: 
>>>>
>>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
>>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 
>>>>
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 



More information about the pve-devel mailing list