Am 05.06.2014 09:34, schrieb Alexandre DERUMIER: >>> Does that mean we insert the VM IP into <VMID>.fw ? What would be the >>> format? Who is able to edit this one. > > net0 : .....,ips=192.168.0.1,192.168.0.2 > > (like this it's possible to have multiple ip by interface) > > > add an option in firewall like : ipspoofingprotection : 1|0
sounds great. >>> I think the VM owner should be able to insert / udpate FW rules but >>> should NOT be able to change the allowed IP. Is this assumption correct? > > Diemar would like to implement some kind of "ip pools", > you defined pools of ips, then give user permission to use theses ips. > then user can assign theses ip in vms of his choice This is cool and great but we should also think of the possibility - that the use cannot freely decide which IP he wants to use and we still want to have the above protection. Stefan > ----- Mail original ----- > > De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> > À: "Alexandre DERUMIER" <aderum...@odiso.com>, "Dietmar Maurer" > <diet...@proxmox.com> > Cc: pve-devel@pve.proxmox.com > Envoyé: Jeudi 5 Juin 2014 08:29:24 > Objet: Re: [pve-devel] pve-firewall: dhcp snooping > > > Am 05.06.2014 07:44, schrieb Alexandre DERUMIER: >> >>>> something like: >>>> >>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we >>>> already have this >>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP >> >> I can make a patch if you want. > > Would be great - but i still don't know how this would work. > > Does that mean we insert the VM IP into <VMID>.fw ? What would be the > format? Who is able to edit this one. > > I think the VM owner should be able to insert / udpate FW rules but > should NOT be able to change the allowed IP. Is this assumption correct? > > Stefan > >> ----- Mail original ----- >> >> De: "Dietmar Maurer" <diet...@proxmox.com> >> À: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag>, "Alexandre >> DERUMIER" <aderum...@odiso.com> >> Cc: pve-devel@pve.proxmox.com >> Envoyé: Mercredi 4 Juin 2014 14:50:53 >> Objet: RE: [pve-devel] pve-firewall: dhcp snooping >> >>>> The 'allowed_ips' ipset idea is very easy to implement ... >>>> >>> >>> OK so adding option IP to each netX. >> >> No, I talk about an IPSet defined inside the <VMID>.fw file. >> >>> Just don't know how to implement the >>> firewall rule to only allow packets from this MAC and IP combination. >> >> something like: >> >> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already >> have this >> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP >> _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
