Hi,<div><br></div><div>We forgot to add that if you are using KVM, you may try filter for the NIC:</div><div><br></div><div> NIC = [ NETWORK ="MyVLAN", filter = "clean-traffic" ]</div><div><br></div><div>
This will give you IP and ARP spoofing (thanks jordan pittier for bringing this out). The rules provided in the patch will benefit the other hypervisors also. </div><div><br></div><div>Cheers</div><div><br></div><div>
Ruben<br><br><div class="gmail_quote">On Tue, Jul 17, 2012 at 6:29 PM, Jaime Melis <span dir="ltr"><<a href="mailto:jmelis@opennebula.org" target="_blank">jmelis@opennebula.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello Ricardo,<div><br></div><div>That's a very nifty feature to have. The core idea of the networking scripts is that they are easily extensible and features like this are easy to have.</div><div><br></div><div>We have created a ticket [1] to provide this feature out of the box with the next OpenNebula release. However you can apply the patch [2] we've already submitted to this file :</div>
<div>/var/tmp/one/vnm/Firewall.rb</div><div>and do "onehost sync" so it gets copied to all your hosts.</div><div><br></div><div>Take into account that this is an unfinished feature and not yet ready for production.</div>
<div><br></div><div>To test it simply add this to your NIC section in the VM template:</div><div>NO_IP_SPOOFING = "YES"</div><div><br></div><div>[1] <a href="http://dev.opennebula.org/issues/1372" target="_blank">http://dev.opennebula.org/issues/1372</a></div>
<div>[2] <a href="http://dev.opennebula.org/projects/opennebula/repository/revisions/2b940821bd630010318996da1ada98cc26d78a4b/diff/src/vnm_mad/remotes/Firewall.rb?format=diff" target="_blank">http://dev.opennebula.org/projects/opennebula/repository/revisions/2b940821bd630010318996da1ada98cc26d78a4b/diff/src/vnm_mad/remotes/Firewall.rb?format=diff</a></div>
<div><br>cheers,</div><div>Jaime</div><div><br><div class="gmail_quote"><div><div class="h5">On Sat, Jul 14, 2012 at 10:18 PM, Ricardo Duarte <span dir="ltr"><<a href="mailto:rjtd21@hotmail.com" target="_blank">rjtd21@hotmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
<div><div dir="ltr">
Hi there,<br><br>I want/need to enforce instances to use the IPs allocated by OpenNebula.<br>I do have them configured on boot, but nothing currently prevents my users to change them.<br>This can lead to problems as they can DoS other user instances, or even my router, proxy or infrastructure services.<br>
I currently use ebtables, but it only prevents mac spoof (by the way, what's the use case for that?). Iptables, as far as I can see, will only set rules for Layer 7.<br>I previously tested CloudStack, and they used iptables to enforce the IP. Also, as far as I know, libvirt now supports ip antispoof.<br>
I though about adding the iptables rules to ebtables, but then I they would be overriden by OpenNebula firewall. Also, I'm unsure how it would behave when machines are live migrated.<br>My question is if there is a way, out of the box, to prevent spoof. If not, maybe somebody can give me some guidance on what files or hooks to change.<br>
<br>Thanks.<br> </div></div>
<br></div></div><div class="im">_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<br></div></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br>Jaime Melis<br>Project Engineer<br>OpenNebula - The Open Source Toolkit for Cloud Computing<br><a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:jmelis@opennebula.org" target="_blank">jmelis@opennebula.org</a><br>
</font></span></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Ruben S. Montero, PhD<br>Project co-Lead and Chief Architect<br>OpenNebula - The Open Source Solution for Data Center Virtualization<br><a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:rsmontero@opennebula.org" target="_blank">rsmontero@opennebula.org</a> | @OpenNebula<br>
</div>