[one-users] IP Spoof Prevention
Ruben S. Montero
rsmontero at opennebula.org
Wed Jul 18 01:45:19 PDT 2012
Hi,
We forgot to add that if you are using KVM, you may try filter for the NIC:
NIC = [ NETWORK ="MyVLAN", filter = "clean-traffic" ]
This will give you IP and ARP spoofing (thanks jordan pittier for bringing
this out). The rules provided in the patch will benefit the other
hypervisors also.
Cheers
Ruben
On Tue, Jul 17, 2012 at 6:29 PM, Jaime Melis <jmelis at opennebula.org> wrote:
> Hello Ricardo,
>
> That's a very nifty feature to have. The core idea of the networking
> scripts is that they are easily extensible and features like this are easy
> to have.
>
> We have created a ticket [1] to provide this feature out of the box with
> the next OpenNebula release. However you can apply the patch [2] we've
> already submitted to this file :
> /var/tmp/one/vnm/Firewall.rb
> and do "onehost sync" so it gets copied to all your hosts.
>
> Take into account that this is an unfinished feature and not yet ready for
> production.
>
> To test it simply add this to your NIC section in the VM template:
> NO_IP_SPOOFING = "YES"
>
> [1] http://dev.opennebula.org/issues/1372
> [2]
> http://dev.opennebula.org/projects/opennebula/repository/revisions/2b940821bd630010318996da1ada98cc26d78a4b/diff/src/vnm_mad/remotes/Firewall.rb?format=diff
>
> cheers,
> Jaime
>
> On Sat, Jul 14, 2012 at 10:18 PM, Ricardo Duarte <rjtd21 at hotmail.com>wrote:
>
>> Hi there,
>>
>> I want/need to enforce instances to use the IPs allocated by OpenNebula.
>> I do have them configured on boot, but nothing currently prevents my
>> users to change them.
>> This can lead to problems as they can DoS other user instances, or even
>> my router, proxy or infrastructure services.
>> I currently use ebtables, but it only prevents mac spoof (by the way,
>> what's the use case for that?). Iptables, as far as I can see, will only
>> set rules for Layer 7.
>> I previously tested CloudStack, and they used iptables to enforce the IP.
>> Also, as far as I know, libvirt now supports ip antispoof.
>> I though about adding the iptables rules to ebtables, but then I they
>> would be overriden by OpenNebula firewall. Also, I'm unsure how it would
>> behave when machines are live migrated.
>> My question is if there is a way, out of the box, to prevent spoof. If
>> not, maybe somebody can give me some guidance on what files or hooks to
>> change.
>>
>> Thanks.
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>
>
> --
> Jaime Melis
> Project Engineer
> OpenNebula - The Open Source Toolkit for Cloud Computing
> www.OpenNebula.org | jmelis at opennebula.org
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
--
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20120718/d4b1dd90/attachment-0002.htm>
More information about the Users
mailing list