[one-users] IP Spoof Prevention

Ricardo Duarte rjtd21 at hotmail.com
Sat Jul 14 13:18:12 PDT 2012


Hi there,

I want/need to enforce instances to use the IPs allocated by OpenNebula.
I do have them configured on boot, but nothing currently prevents my users to change them.
This can lead to problems as they can DoS other user instances, or even my router, proxy or infrastructure services.
I currently use ebtables, but it only prevents mac spoof (by the way, what's the use case for that?). Iptables, as far as I can see, will only set rules for Layer 7.
I previously tested CloudStack, and they used iptables to enforce the IP. Also, as far as I know, libvirt now supports ip antispoof.
I though about adding the iptables rules to ebtables, but then I they would be overriden by OpenNebula firewall. Also, I'm unsure how it would behave when machines are live migrated.
My question is if there is a way, out of the box, to prevent spoof. If not, maybe somebody can give me some guidance on what files or hooks to change.

Thanks.
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20120714/fde3697c/attachment.htm>


More information about the Users mailing list