Backlog #1372
provide a no-ip-spoofing mechanism for the firewall network drivers
| Status: | Closed | Start date: | 07/17/2012 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Drivers - Network | |||
| Target version: | - |
Description
As requested by Ricardo Duarte in the mailing list, there should be a mechanism to provide a no-ip-spoofing mechanism in the firewall network drivers.
History
#1
Updated by Jaime Melis almost 9 years ago
Commited a first version of the no-ip-spoofing script in Firewall.rb. Still to undergo testing and to be documented.
#2
Updated by Jaime Melis almost 9 years ago
The chain names have changed, that will impact in the deactivate script for running vms with the previous chain names. This has to be fixed.
#3
Updated by jordan pittier almost 9 years ago
For what it's worth, here is the ebtables rules that libvirt's network filter named "clean-traffic" setups. It prevents both IP and ARP spoofing.
I agree that adding these rules in firewall.rb would benefit to all supported hypervisors (currently only KVM, thanks to libvirt, can perform proper network isolation by default, see last line of etc/vmm_exec/vmm_exec_kvm.conf)
@root@csdd7:/home/oneadmin# ebtables -t nat -L
Bridge table: nat
Bridge chain: PREROUTING, entries: 1, policy: ACCEPT
-i vnet0 -j libvirt-I-vnet0
Bridge chain: POSTROUTING, entries: 1, policy: ACCEPT
-o vnet0 -j libvirt-O-vnet0
Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT
-j I-vnet0-mac
-p IPv4 -j I-vnet0-ipv4-ip
-p IPv4 -j ACCEPT
-p ARP -j I-vnet0-arp-mac
-p ARP -j I-vnet0-arp-ip
-p ARP -j ACCEPT
-p 0x8035 -j I-vnet0-rarp
-p 0x835 -j ACCEPT
-j DROP
Bridge chain: libvirt-O-vnet0, entries: 4, policy: ACCEPT
-p IPv4 -j O-vnet0-ipv4
-p ARP -j ACCEPT
-p 0x8035 -j O-vnet0-rarp
-j DROP
Bridge chain: I-vnet0-mac, entries: 2, policy: ACCEPT
-s 52:54:0:0:5:fa -j RETURN
-j DROP
Bridge chain: I-vnet0-ipv4-ip, entries: 3, policy: ACCEPT
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
-p IPv4 --ip-src 88.190.214.XX -j RETURN
-j DROP
Bridge chain: O-vnet0-ipv4, entries: 1, policy: ACCEPT
-j ACCEPT
Bridge chain: I-vnet0-arp-mac, entries: 2, policy: ACCEPT
-p ARP --arp-mac-src 52:54:0:0:5:fa -j RETURN
-j DROP
Bridge chain: I-vnet0-arp-ip, entries: 2, policy: ACCEPT
-p ARP --arp-ip-src 88.190.214.XX -j RETURN
-j DROP
Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT
-p 0x8035 -s 52:54:0:0:5:fa -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:0:5:fa --arp-mac-dst 52:54:0:0:5:fa -j ACCEPT
-j DROP
Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT
-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:0:5:fa --arp-mac-dst 52:54:0:0:5:fa -j ACCEPT
-j DROP@
#4
Updated by Ruben S. Montero almost 9 years ago
And in fact it its supported with the filter option:
NIC = [ NETWORK ="MyVLAN", filter = "clean-traffic" ]
#5
Updated by jordan pittier almost 9 years ago
Yeah you're right. But it's KVM specific and it would be great if firewall.rb could be updated so that these kind of filtering is supported on all platforms
#6
Updated by Ruben S. Montero almost 9 years ago
- Status changed from New to Assigned
#7
Updated by Ruben S. Montero almost 9 years ago
- Target version changed from Release 3.8 to Release 4.0
#8
Updated by Artur Kraev over 8 years ago
Unfortunately this method (as also kvm's clean traffic) not working with openvswtich.
#9
Updated by Ruben S. Montero over 8 years ago
- Target version changed from Release 4.0 to Release 4.2
#10
Updated by Ruben S. Montero about 8 years ago
- Category changed from Drivers - Auth to Drivers - Network
#11
Updated by Ruben S. Montero about 8 years ago
- Tracker changed from Feature to Backlog
- Status changed from Assigned to Pending
- Assignee deleted (
Jaime Melis) - Target version deleted (
Release 4.2)
#12
Updated by Ruben S. Montero over 6 years ago
- Status changed from Pending to Closed
In security groups features...