[pve-devel] [PATCH] add ips feature v3

Alexandre DERUMIER aderumier at odiso.com
Tue Mar 18 10:33:06 CET 2014 

> I don't known, but if they are critical, maybe can we bypass the ips ? 

>>I guess this is a question to for the IPS developers. 

I see in default suricata/snort rules

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:410; rev:5;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:449; rev:6;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:450; rev:8;)


But this is only alert by default, no drop


>> last question, do you think I need to add PVEFW-Accept for host default 
>> rules? (as they are mainly inter-cluster rules) 
>>
>>I have no idea if the IPS needs that, sorry. 
I just wanted to say, if we want to add overhead of 
-j PVEFW-accept
 -tap1  
 -tap2
 -tap3
-j ACCEPT

for theses rules.
(as I think it should never match -tap NFQUEUE)

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 18 Mars 2014 09:22:04 
Objet: RE: [pve-devel] [PATCH] add ips feature v3 

> Do you think the overhead is big ? 
> I can work on an optimisation to only replace ACCEPT when ips is enabled 
> 

Ok, lets go the simple way. We can optimize later. 

> >>Besides, I cannot see that this patch replaces all ACCEPT actions, for 
> example: 
> >> 
> >>--------------- 
> >>sub ruleset_generate_vm_rules { 
> >>... 
> 
> >>if ($direction eq 'OUT') { 
> >>... 
> >>} else { 
> >>ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => 
> >>"PVEFW-reject" }); } 
> >> 
> >>} 
> >>---------------- 
> >> 
> >>So that generates normal ACCEPT? 
> 
> Oh, I didn't see that we have accept in PVEFW-reject and 'PVEFW-Drop 
> 
> 'PVEFW-Reject' => [ 
> # ACCEPT critical ICMP types 
> { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, 
> { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, 
> ], 
> 
> 'PVEFW-Drop' => [ 
> # ACCEPT critical ICMP types 
> { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, 
> { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, 
> ], 
> 
> I don't known, but if they are critical, maybe can we bypass the ips ? 

I guess this is a question to for the IPS developers. 

> last question, do you think I need to add PVEFW-Accept for host default 
> rules? (as they are mainly inter-cluster rules) 

I have no idea if the IPS needs that, sorry.

More information about the pve-devel mailing list