[pve-devel] [PATCH] add ips feature v3

Alexandre DERUMIER aderumier at odiso.com
Wed Mar 19 06:33:26 CET 2014


I'll send a new patch today, I found some other missing accept

----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 18 Mars 2014 10:33:06 
Objet: Re: [pve-devel] [PATCH] add ips feature v3 

> I don't known, but if they are critical, maybe can we bypass the ips ? 

>>I guess this is a question to for the IPS developers. 

I see in default suricata/snort rules 

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:410; rev:5;) 
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:449; rev:6;) 
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:450; rev:8;) 


But this is only alert by default, no drop 


>> last question, do you think I need to add PVEFW-Accept for host default 
>> rules? (as they are mainly inter-cluster rules) 
>> 
>>I have no idea if the IPS needs that, sorry. 
I just wanted to say, if we want to add overhead of 
-j PVEFW-accept 
-tap1 
-tap2 
-tap3 
-j ACCEPT 

for theses rules. 
(as I think it should never match -tap NFQUEUE) 

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 18 Mars 2014 09:22:04 
Objet: RE: [pve-devel] [PATCH] add ips feature v3 

> Do you think the overhead is big ? 
> I can work on an optimisation to only replace ACCEPT when ips is enabled 
> 

Ok, lets go the simple way. We can optimize later. 

> >>Besides, I cannot see that this patch replaces all ACCEPT actions, for 
> example: 
> >> 
> >>--------------- 
> >>sub ruleset_generate_vm_rules { 
> >>... 
> 
> >>if ($direction eq 'OUT') { 
> >>... 
> >>} else { 
> >>ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => 
> >>"PVEFW-reject" }); } 
> >> 
> >>} 
> >>---------------- 
> >> 
> >>So that generates normal ACCEPT? 
> 
> Oh, I didn't see that we have accept in PVEFW-reject and 'PVEFW-Drop 
> 
> 'PVEFW-Reject' => [ 
> # ACCEPT critical ICMP types 
> { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, 
> { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, 
> ], 
> 
> 'PVEFW-Drop' => [ 
> # ACCEPT critical ICMP types 
> { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, 
> { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, 
> ], 
> 
> I don't known, but if they are critical, maybe can we bypass the ips ? 

I guess this is a question to for the IPS developers. 

> last question, do you think I need to add PVEFW-Accept for host default 
> rules? (as they are mainly inter-cluster rules) 

I have no idea if the IPS needs that, sorry. 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list