Re: [ovirt-users] IP Address Stealing

2016-08-14 Thread Edward Haas
On Fri, Aug 12, 2016 at 8:17 PM, Bill Bill <jax2...@outlook.com> wrote:

> Cool. It looks like that works. Perhaps it would be good for oVirt to have
> a few text fields in the nic properties to enter IP addresses into which
> can match the rules being used. For example, when enabling the
> clean-traffic filter it appears the VM can only have 1 IP address, even if
> another IP is added legitimately, it still only works with the original IP
> address.
>
>
>
> Something like this: http://i.imgur.com/9BUZRCN.jpg
>
>
>
> So essentially, traffic would be blocked on that VM for any other IP space
> other than the IP’s entered into the text fields, which then edit/work with
> the netfilter rules. The idea would be to click “click to add more” would
> add another text field.
>

That could have been a nice option indeed.
Could you please open an RFE on bugzilla so we can consider and manage this?

Thanks,
Edy.


>
>
>
>
>
>
> *From: *Edward Haas <eh...@redhat.com>
> *Sent: *Thursday, August 4, 2016 3:47 AM
> *To: *Subhendu Ghosh <sgh...@redhat.com>
> *Cc: *Bill Bill <jax2...@outlook.com>; users <users@ovirt.org>
> *Subject: *Re: [ovirt-users] IP Address Stealing
>
>
>
>
> On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <sgh...@redhat.com> wrote:
>
>> Not built into ovirt AFAIK,  but an ebtables rule can allow you to filter
>> out mac+ip combinations
>>
>> Look at the anti-spoofing rules on ebtables.netfilter.org
>>
>> It doesn't prevent the user adding it in the vm, but the infrastructure
>> blocks it's usage.
>>
>> --
>> *From:* Bill Bill <jax2...@outlook.com>
>> *Sent:* Aug 3, 2016 22:40
>> *To:* users@ovirt.org
>> *Subject:* [ovirt-users] IP Address Stealing
>>
>> Hello,
>>
>>
>>
>> It is possible to prevent a VM from adding an IP? For example, if we
>> provision a VM with one IP, if the user has root access they can simply add
>> random IP’s from within the same range as sub interfaces: eth0:0 eth0:1
>> eth0:2 so on and so forth.
>>
>>
>>
>> Subnetting is not ideal in this situation because it’s a huge waste of IP
>> space.
>>
>
> In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the
> vnic profile settings).
> You can check the clean-traffic filter which uses multiple other more
> specific filters.
> Ref: https://libvirt.org/formatnwfilter.html
>
> Thanks,
> Edy.
>
>
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] IP Address Stealing

2016-08-12 Thread Bill Bill
Cool. It looks like that works. Perhaps it would be good for oVirt to have a 
few text fields in the nic properties to enter IP addresses into which can 
match the rules being used. For example, when enabling the clean-traffic filter 
it appears the VM can only have 1 IP address, even if another IP is added 
legitimately, it still only works with the original IP address.

Something like this: http://i.imgur.com/9BUZRCN.jpg

So essentially, traffic would be blocked on that VM for any other IP space 
other than the IP’s entered into the text fields, which then edit/work with the 
netfilter rules. The idea would be to click “click to add more” would add 
another text field.



From: Edward Haas<mailto:eh...@redhat.com>
Sent: Thursday, August 4, 2016 3:47 AM
To: Subhendu Ghosh<mailto:sgh...@redhat.com>
Cc: Bill Bill<mailto:jax2...@outlook.com>; users<mailto:users@ovirt.org>
Subject: Re: [ovirt-users] IP Address Stealing



On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh 
<sgh...@redhat.com<mailto:sgh...@redhat.com>> wrote:
Not built into ovirt AFAIK,  but an ebtables rule can allow you to filter out 
mac+ip combinations

Look at the anti-spoofing rules on 
ebtables.netfilter.org<http://ebtables.netfilter.org>

It doesn't prevent the user adding it in the vm, but the infrastructure blocks 
it's usage.


From: Bill Bill <jax2...@outlook.com<mailto:jax2...@outlook.com>>
Sent: Aug 3, 2016 22:40
To: users@ovirt.org<mailto:users@ovirt.org>
Subject: [ovirt-users] IP Address Stealing

Hello,

It is possible to prevent a VM from adding an IP? For example, if we provision 
a VM with one IP, if the user has root access they can simply add random IP’s 
from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so 
forth.

Subnetting is not ideal in this situation because it’s a huge waste of IP space.

In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic 
profile settings).
You can check the clean-traffic filter which uses multiple other more specific 
filters.
Ref: https://libvirt.org/formatnwfilter.html

Thanks,
Edy.



___
Users mailing list
Users@ovirt.org<mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] IP Address Stealing

2016-08-04 Thread Edward Haas
On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh  wrote:

> Not built into ovirt AFAIK,  but an ebtables rule can allow you to filter
> out mac+ip combinations
>
> Look at the anti-spoofing rules on ebtables.netfilter.org
>
> It doesn't prevent the user adding it in the vm, but the infrastructure
> blocks it's usage.
>
> --
> *From:* Bill Bill 
> *Sent:* Aug 3, 2016 22:40
> *To:* users@ovirt.org
> *Subject:* [ovirt-users] IP Address Stealing
>
> Hello,
>
>
>
> It is possible to prevent a VM from adding an IP? For example, if we
> provision a VM with one IP, if the user has root access they can simply add
> random IP’s from within the same range as sub interfaces: eth0:0 eth0:1
> eth0:2 so on and so forth.
>
>
>
> Subnetting is not ideal in this situation because it’s a huge waste of IP
> space.
>

In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic
profile settings).
You can check the clean-traffic filter which uses multiple other more
specific filters.
Ref: https://libvirt.org/formatnwfilter.html

Thanks,
Edy.


>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] IP Address Stealing

2016-08-03 Thread Subhendu Ghosh
Not built into ovirt AFAIK,  but an ebtables rule can allow you to filter out 
mac+ip combinations 

Look at the anti-spoofing rules on ebtables.netfilter.org

It doesn't prevent the user adding it in the vm, but the infrastructure blocks 
it's usage.


From: Bill Bill 
Sent: Aug 3, 2016 22:40
To: users@ovirt.org
Subject: [ovirt-users] IP Address Stealing

Hello,

 

It is possible to prevent a VM from adding an IP? For example, if we provision 
a VM with one IP, if the user has root access they can simply add random IP’s 
from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so 
forth.

 

Subnetting is not ideal in this situation because it’s a huge waste of IP space.

 ___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users