[pve-devel] [PATCH] add ips feature v3
Alexandre DERUMIER
aderumier at odiso.com
Wed Mar 19 06:33:26 CET 2014
I'll send a new patch today, I found some other missing accept
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 18 Mars 2014 10:33:06
Objet: Re: [pve-devel] [PATCH] add ips feature v3
> I don't known, but if they are critical, maybe can we bypass the ips ?
>>I guess this is a question to for the IPS developers.
I see in default suricata/snort rules
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:410; rev:5;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:449; rev:6;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:450; rev:8;)
But this is only alert by default, no drop
>> last question, do you think I need to add PVEFW-Accept for host default
>> rules? (as they are mainly inter-cluster rules)
>>
>>I have no idea if the IPS needs that, sorry.
I just wanted to say, if we want to add overhead of
-j PVEFW-accept
-tap1
-tap2
-tap3
-j ACCEPT
for theses rules.
(as I think it should never match -tap NFQUEUE)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 18 Mars 2014 09:22:04
Objet: RE: [pve-devel] [PATCH] add ips feature v3
> Do you think the overhead is big ?
> I can work on an optimisation to only replace ACCEPT when ips is enabled
>
Ok, lets go the simple way. We can optimize later.
> >>Besides, I cannot see that this patch replaces all ACCEPT actions, for
> example:
> >>
> >>---------------
> >>sub ruleset_generate_vm_rules {
> >>...
>
> >>if ($direction eq 'OUT') {
> >>...
> >>} else {
> >>ruleset_generate_rule($ruleset, $chain, $rule, { REJECT =>
> >>"PVEFW-reject" }); }
> >>
> >>}
> >>----------------
> >>
> >>So that generates normal ACCEPT?
>
> Oh, I didn't see that we have accept in PVEFW-reject and 'PVEFW-Drop
>
> 'PVEFW-Reject' => [
> # ACCEPT critical ICMP types
> { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' },
> { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
> ],
>
> 'PVEFW-Drop' => [
> # ACCEPT critical ICMP types
> { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' },
> { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
> ],
>
> I don't known, but if they are critical, maybe can we bypass the ips ?
I guess this is a question to for the IPS developers.
> last question, do you think I need to add PVEFW-Accept for host default
> rules? (as they are mainly inter-cluster rules)
I have no idea if the IPS needs that, sorry.
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list