Am 04.07.2014 13:45, schrieb Alexandre DERUMIER: >>> What about ARP traffic? Smoeone can claim he is another mac in ARP. Even >>> though ip traffic will then never reach the VM he still can tell via arp >>> that this vm is for example the GW. > > Oh, ok, you are right ! > > I'll make a patch for ebtables,it should be easy to implement.
That would be really great. It would be really nice if we can also define a set of protocols allowed for this VM. For example: layer2filter_protocls: ARP,IPV4,IPV6 so any other LAYER2 protocol get's dropped. Stefan > ----- Mail original ----- > > De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> > À: "Alexandre DERUMIER" <aderum...@odiso.com> > Cc: "pve-devel" <pve-devel@pve.proxmox.com> > Envoyé: Vendredi 4 Juillet 2014 11:28:40 > Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? > > > Am 04.07.2014 11:24, schrieb Alexandre DERUMIER: >>>> Sorry i just meant mac spoofing. >>>> >>>> We should have ebtables rules like these: >>>> # Drop packets that don't match the network's MAC Address >>>> -s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP >>>> # Prevent MAC spoofing >>>> -s ! <mac_address> -i <tap_device> -j DROP >>>> >>>> Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to >>>> prevent other crazy packets. >> >> What is the advantage to do it in ebtables vs iptables ? >> http://ebtables.sourceforge.net/examples/basic.html#ex_anti-spoof >> >> (I tell the question, because if you have a lot of mac to filter, >> in the worst case, you need to check all the ebtables rules, and for each >> packet. > > This works as long as you talk about IPv4 or IPv6 Traffic. What about > non ip traffic? iptables can only handle layer 3 traffic. > > What about ARP traffic? Smoeone can claim he is another mac in ARP. Even > though ip traffic will then never reach the VM he still can tell via arp > that this vm is for example the GW. > >> also ,with iptables, when the connection is established, we don't check the >> mac address. >> (don't known if it can be a security problem) > > Stefan > > >> >> ----- Mail original ----- >> >> De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> >> À: "Alexandre DERUMIER" <aderum...@odiso.com> >> Cc: "pve-devel" <pve-devel@pve.proxmox.com> >> Envoyé: Vendredi 4 Juillet 2014 11:07:38 >> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? >> >> Am 04.07.2014 11:03, schrieb Alexandre DERUMIER: >>>>> Main problem is that iptables is only layer3. What about layer2 IP / mac >>>>> spoofing? >>> >>> yes, mac filtering need to be done like currently, in tapchain. >>> >>> >>> (layer2 IP ????) >> >> Sorry i just meant mac spoofing. >> >> We should have ebtables rules like these: >> # Drop packets that don't match the network's MAC Address >> -s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP >> # Prevent MAC spoofing >> -s ! <mac_address> -i <tap_device> -j DROP >> >> Then we should filter non arp, IPv4 and IPv6 traffic in ebtables to >> prevent other crazy packets. >> >> Grüße >> Stefan >> >>> ----- Mail original ----- >>> >>> De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> >>> À: "Alexandre DERUMIER" <aderum...@odiso.com>, "pve-devel" >>> <pve-devel@pve.proxmox.com> >>> Envoyé: Vendredi 4 Juillet 2014 10:55:58 >>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? >>> >>> Am 19.06.2014 07:50, schrieb Alexandre DERUMIER: >>>>>> But I don't see anywhere in the code where theses rules are generate ? >>>> >>>> I think we could create a PVEFW-cluster-IN|OUT chain, and put it at same >>>> level that blacklist. >>>> >>>> (and maybe make blacklist ipset more generic, if we can create a rule with >>>> blacklist) >>>> >>>> >>>> >>>> >>>> also, I just found that ipset provide a net,iface hash >>>> >>>> ipset create foo hash:net,iface >>>> ipset add foo 192.168.0/24,eth0 >>>> ipset add foo 10.1.0.0/16,eth1 >>>> ipset test foo 192.168.0/24,eth0 >>>> >>>> >>>> maybe can we use it to implement ipfilter at cluster level ? >>> >>> Main problem is that iptables is only layer3. What about layer2 IP / mac >>> spoofing? >>> >>> >>> Stefan >>> >>>> ----- Mail original ----- >>>> >>>> De: "Alexandre DERUMIER" <aderum...@odiso.com> >>>> À: "pve-devel" <pve-devel@pve.proxmox.com> >>>> Envoyé: Jeudi 19 Juin 2014 06:09:15 >>>> Objet: [pve-devel] firewall : cluster.fw [rules] section ? >>>> >>>> Hi, >>>> I see in cluster.fw a [rules] section, >>>> >>>> But I don't see anywhere in the code where theses rules are generate ? >>>> _______________________________________________ >>>> pve-devel mailing list >>>> pve-devel@pve.proxmox.com >>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >>>> _______________________________________________ >>>> pve-devel mailing list >>>> pve-devel@pve.proxmox.com >>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >>>> _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel