>>This is cool and great but we should also think of the possibility - >>that the use cannot freely decide which IP he wants to use and we still >>want to have the above protection.
I think more something like: onlysuperadmin define ip pools, with ip inside. then choose which user is allowed to use which pool. and user can only use ips of his pool. (or do you want to force a user to use a specific ip, for a specific vm ?) ----- Mail original ----- De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com, "Dietmar Maurer" <diet...@proxmox.com> Envoyé: Jeudi 5 Juin 2014 10:05:25 Objet: Re: [pve-devel] pve-firewall: dhcp snooping Am 05.06.2014 09:34, schrieb Alexandre DERUMIER: >>> Does that mean we insert the VM IP into <VMID>.fw ? What would be the >>> format? Who is able to edit this one. > > net0 : .....,ips=192.168.0.1,192.168.0.2 > > (like this it's possible to have multiple ip by interface) > > > add an option in firewall like : ipspoofingprotection : 1|0 sounds great. >>> I think the VM owner should be able to insert / udpate FW rules but >>> should NOT be able to change the allowed IP. Is this assumption correct? > > Diemar would like to implement some kind of "ip pools", > you defined pools of ips, then give user permission to use theses ips. > then user can assign theses ip in vms of his choice This is cool and great but we should also think of the possibility - that the use cannot freely decide which IP he wants to use and we still want to have the above protection. Stefan > ----- Mail original ----- > > De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> > À: "Alexandre DERUMIER" <aderum...@odiso.com>, "Dietmar Maurer" > <diet...@proxmox.com> > Cc: pve-devel@pve.proxmox.com > Envoyé: Jeudi 5 Juin 2014 08:29:24 > Objet: Re: [pve-devel] pve-firewall: dhcp snooping > > > Am 05.06.2014 07:44, schrieb Alexandre DERUMIER: >> >>>> something like: >>>> >>>> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we >>>> already have this >>>> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP >> >> I can make a patch if you want. > > Would be great - but i still don't know how this would work. > > Does that mean we insert the VM IP into <VMID>.fw ? What would be the > format? Who is able to edit this one. > > I think the VM owner should be able to insert / udpate FW rules but > should NOT be able to change the allowed IP. Is this assumption correct? > > Stefan > >> ----- Mail original ----- >> >> De: "Dietmar Maurer" <diet...@proxmox.com> >> À: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag>, "Alexandre >> DERUMIER" <aderum...@odiso.com> >> Cc: pve-devel@pve.proxmox.com >> Envoyé: Mercredi 4 Juin 2014 14:50:53 >> Objet: RE: [pve-devel] pve-firewall: dhcp snooping >> >>>> The 'allowed_ips' ipset idea is very easy to implement ... >>>> >>> >>> OK so adding option IP to each netX. >> >> No, I talk about an IPSet defined inside the <VMID>.fw file. >> >>> Just don't know how to implement the >>> firewall rule to only allow packets from this MAC and IP combination. >> >> something like: >> >> -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already >> have this >> -A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP >> _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
