Am 10.06.2014 08:31, schrieb Alexandre DERUMIER: > Hi, > I'll send patches this week, I was too busy last week.
Thanks - i'm looking forward to those. I hope we can find a way to make VMs network stuff more secure at all places. libvirt does it with those: http://libvirt.org/formatnwfilter.html Greets, Stefan > Alexandre > > ----- Mail original ----- > > De: "Alexandre DERUMIER" <aderum...@odiso.com> > À: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> > Cc: pve-devel@pve.proxmox.com > Envoyé: Jeudi 5 Juin 2014 13:20:30 > Objet: Re: [pve-devel] pve-firewall: dhcp snooping > >>> I would prefer a solution which covers both. > > I'll make the patch for the ips in vmid.conf and firewall protection. > > I think Diemar have more ideas for implement permissions ;) > > > ----- Mail original ----- > > De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> > À: "Alexandre DERUMIER" <aderum...@odiso.com> > Cc: pve-devel@pve.proxmox.com, "Dietmar Maurer" <diet...@proxmox.com> > Envoyé: Jeudi 5 Juin 2014 10:27:41 > Objet: Re: [pve-devel] pve-firewall: dhcp snooping > > Am 05.06.2014 10:15, schrieb Alexandre DERUMIER: >>>> This is cool and great but we should also think of the possibility - >>>> that the use cannot freely decide which IP he wants to use and we still >>>> want to have the above protection. >> >> I think more something like: >> >> onlysuperadmin define ip pools, with ip inside. >> then choose which user is allowed to use which pool. >> >> and user can only use ips of his pool. >> (or do you want to force a user to use a specific ip, for a specific >> vm ?) > > Yes this is great and might be good for several use cases. But if you > think of users having only 1 vm and only beeing allowed to use one ip it > is a lot of work to create pools for each. > > I would prefer a solution which covers both. > > Stefan > >> ----- Mail original ----- >> >> De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> >> À: "Alexandre DERUMIER" <aderum...@odiso.com> >> Cc: pve-devel@pve.proxmox.com, "Dietmar Maurer" <diet...@proxmox.com> >> Envoyé: Jeudi 5 Juin 2014 10:05:25 >> Objet: Re: [pve-devel] pve-firewall: dhcp snooping >> >> Am 05.06.2014 09:34, schrieb Alexandre DERUMIER: >>>>> Does that mean we insert the VM IP into <VMID>.fw ? What would be the >>>>> format? Who is able to edit this one. >>> >>> net0 : .....,ips=192.168.0.1,192.168.0.2 >>> >>> (like this it's possible to have multiple ip by interface) >>> >>> >>> add an option in firewall like : ipspoofingprotection : 1|0 >> >> sounds great. >> >>>>> I think the VM owner should be able to insert / udpate FW rules but >>>>> should NOT be able to change the allowed IP. Is this assumption correct? >>> >>> Diemar would like to implement some kind of "ip pools", >>> you defined pools of ips, then give user permission to use theses ips. >>> then user can assign theses ip in vms of his choice >> >> This is cool and great but we should also think of the possibility - >> that the use cannot freely decide which IP he wants to use and we still >> want to have the above protection. >> >> Stefan >> >> >>> ----- Mail original ----- >>> >>> De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> >>> À: "Alexandre DERUMIER" <aderum...@odiso.com>, "Dietmar Maurer" >>> <diet...@proxmox.com> >>> Cc: pve-devel@pve.proxmox.com >>> Envoyé: Jeudi 5 Juin 2014 08:29:24 >>> Objet: Re: [pve-devel] pve-firewall: dhcp snooping >>> >>> >>> Am 05.06.2014 07:44, schrieb Alexandre DERUMIER: >>>> >>>>>> something like: >>>>>> >>>>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we >>>>>> already have this >>>>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP >>>> >>>> I can make a patch if you want. >>> >>> Would be great - but i still don't know how this would work. >>> >>> Does that mean we insert the VM IP into <VMID>.fw ? What would be the >>> format? Who is able to edit this one. >>> >>> I think the VM owner should be able to insert / udpate FW rules but >>> should NOT be able to change the allowed IP. Is this assumption correct? >>> >>> Stefan >>> >>>> ----- Mail original ----- >>>> >>>> De: "Dietmar Maurer" <diet...@proxmox.com> >>>> À: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag>, "Alexandre >>>> DERUMIER" <aderum...@odiso.com> >>>> Cc: pve-devel@pve.proxmox.com >>>> Envoyé: Mercredi 4 Juin 2014 14:50:53 >>>> Objet: RE: [pve-devel] pve-firewall: dhcp snooping >>>> >>>>>> The 'allowed_ips' ipset idea is very easy to implement ... >>>>>> >>>>> >>>>> OK so adding option IP to each netX. >>>> >>>> No, I talk about an IPSet defined inside the <VMID>.fw file. >>>> >>>>> Just don't know how to implement the >>>>> firewall rule to only allow packets from this MAC and IP combination. >>>> >>>> something like: >>>> >>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we >>>> already have this >>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP >>>> > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
