[one-users] IP Spoof Prevention
Jaime Melis
jmelis at opennebula.org
Tue Jul 17 09:29:08 PDT 2012
Hello Ricardo,
That's a very nifty feature to have. The core idea of the networking
scripts is that they are easily extensible and features like this are easy
to have.
We have created a ticket [1] to provide this feature out of the box with
the next OpenNebula release. However you can apply the patch [2] we've
already submitted to this file :
/var/tmp/one/vnm/Firewall.rb
and do "onehost sync" so it gets copied to all your hosts.
Take into account that this is an unfinished feature and not yet ready for
production.
To test it simply add this to your NIC section in the VM template:
NO_IP_SPOOFING = "YES"
[1] http://dev.opennebula.org/issues/1372
[2]
http://dev.opennebula.org/projects/opennebula/repository/revisions/2b940821bd630010318996da1ada98cc26d78a4b/diff/src/vnm_mad/remotes/Firewall.rb?format=diff
cheers,
Jaime
On Sat, Jul 14, 2012 at 10:18 PM, Ricardo Duarte <rjtd21 at hotmail.com> wrote:
> Hi there,
>
> I want/need to enforce instances to use the IPs allocated by OpenNebula.
> I do have them configured on boot, but nothing currently prevents my users
> to change them.
> This can lead to problems as they can DoS other user instances, or even my
> router, proxy or infrastructure services.
> I currently use ebtables, but it only prevents mac spoof (by the way,
> what's the use case for that?). Iptables, as far as I can see, will only
> set rules for Layer 7.
> I previously tested CloudStack, and they used iptables to enforce the IP.
> Also, as far as I know, libvirt now supports ip antispoof.
> I though about adding the iptables rules to ebtables, but then I they
> would be overriden by OpenNebula firewall. Also, I'm unsure how it would
> behave when machines are live migrated.
> My question is if there is a way, out of the box, to prevent spoof. If
> not, maybe somebody can give me some guidance on what files or hooks to
> change.
>
> Thanks.
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
--
Jaime Melis
Project Engineer
OpenNebula - The Open Source Toolkit for Cloud Computing
www.OpenNebula.org | jmelis at opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20120717/f9fffb13/attachment-0003.htm>
More information about the Users
mailing list