Hi there, I want/need to enforce instances to use the IPs allocated by OpenNebula. I do have them configured on boot, but nothing currently prevents my users to change them. This can lead to problems as they can DoS other user instances, or even my router, proxy or infrastructure services. I currently use ebtables, but it only prevents mac spoof (by the way, what's the use case for that?). Iptables, as far as I can see, will only set rules for Layer 7. I previously tested CloudStack, and they used iptables to enforce the IP. Also, as far as I know, libvirt now supports ip antispoof. I though about adding the iptables rules to ebtables, but then I they would be overriden by OpenNebula firewall. Also, I'm unsure how it would behave when machines are live migrated. My question is if there is a way, out of the box, to prevent spoof. If not, maybe somebody can give me some guidance on what files or hooks to change.
Thanks.
_______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org