[pve-devel] pve-firewall : add ipfilter protection

Alexandre DERUMIER aderumier at odiso.com
Wed Jun 11 16:03:18 CEST 2014 

>>Thanks - will try that but how to bind this to mac addressesv or network 
>>interfaces? I mean a user can have multiple network interfaces. 

mac filter is done from vm config file (net0 : ...).

but indeed, maybe it could be great to have an ipset by interface

[IPSET ipfilter-net0]  for example



----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 11 Juin 2014 15:53:42 
Objet: Re: [pve-devel] pve-firewall : add ipfilter protection 

Am 11.06.2014 15:49, schrieb Alexandre DERUMIER: 
>>> Can you please give me an example how to limit a user to a specific ip 
>>> with your commit? 
> 
> Do have read the code, but it should be 
> 
> in /etc/pve/firewall/vmid.fw 
> 
> 
> [IPSET ipfilter] 
> 192.168.0.1 
> 10.0.0.0/8 
> .... 

Thanks - will try that but how to bind this to mac addressesv or network 
interfaces? I mean a user can have multiple network interfaces. 

Maybe he is allowed to use IPA on net0 and IPB on net1 but not IPB on net0. 

Greets, 
Stefan 


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Mercredi 11 Juin 2014 15:30:18 
> Objet: Re: [pve-devel] pve-firewall : add ipfilter protection 
> 
> 
> Am 11.06.2014 10:07, schrieb Dietmar Maurer: 
>>>>> Would it make sense to also allow ip/mask notation so pve knows more about 
>>> the network? May be display user ip settings? 
>>> 
>>> Don't have tested, but I think it should work. I'll test that today. 
>> 
>> I just applied a simplified version of your patch. 
>> 
>> I simply apply the filter if the VM firewall configuration defines a ipset named 'ipfilter'. 
>> 
>> This works with venet and tap devices, and does not require any change in qemu-server config. 
>> 
>> Does that work for you? 
> 
> Can you please give me an example how to limit a user to a specific ip 
> with your commit? 
> 
> Which lines do i have to insert into which files? 
> 
> Thanks! 
> 
> Greets, 
> Stefan 
>

More information about the pve-devel mailing list