Am 04.06.2014 13:10, schrieb Alexandre DERUMIER: >>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 >>>>> It is then easy to implement such filter. >> >> also a good idea. >> >> Alexandre - any suggestions? > > I like this one ;) also, could be use when we'll implement dhcp server > inside proxmox.
But dietmar correctly comments on how do we know the IP. Or just as a textfield set in the creation wizard? Makes this sence. What are the enable DHCP and MAC Filter Options in the Firewall Options Menu? Stefan > ----- Mail original ----- > > De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> > À: "Dietmar Maurer" <diet...@proxmox.com>, pve-devel@pve.proxmox.com > Envoyé: Mercredi 4 Juin 2014 12:43:51 > Objet: Re: [pve-devel] pve-firewall: dhcp snooping > >>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 >>> It is then easy to implement such filter. > > also a good idea. > > Alexandre - any suggestions? > > > Am 04.06.2014 12:19, schrieb Stefan Priebe - Profihost AG: >> Am 04.06.2014 12:10, schrieb Dietmar Maurer: >>>> i'm starting to deploy the pve-firewall code on a test cluster. >>>> >>>> Something i really would like to have is dhcp snooping on the linux bridge >>>> so that >>>> VMs controlled by somebody else can't use fake / wrong ip adresses. >>>> >>>> Is something like this possible with the current firewall code? >>> >>> Not implemented, because we do not have/store a list of IPs. >>> >>> One option would be to store the list of allowed IP in the VM network >>> config: >>> >>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 >>> >>> It is then easy to implement such filter. >>> >> >> For snooping there is no ip list neeeded. You just monitor DHCP ACK >> packets from specific MAC and IP and then generate the entries. >> >> Stefan >> _______________________________________________ >> pve-devel mailing list >> pve-devel@pve.proxmox.com >> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >> > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel