<div dir="ltr">Hi Jure,<div><br></div><div>It's ok....but what about if user will spoof the ip on the eth0:0....then the mac address will be same as eth0 ?? how we can control this ??</div><div><br></div><div>Thanks,</div>
<div>Punit D</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 9, 2014 at 3:38 PM, Jure Kranjc <span dir="ltr"><<a href="mailto:jure.kranjc@arnes.si" target="_blank">jure.kranjc@arnes.si</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi,<br>
<br>
I don't know if this is much help but here is our setup which
works in a way that users cannot spoof public IP from inside VM.<br>
We've set up a MAC pool range on engine and a DHCP server on one
VM, this server assigns IPs according to VMs MACs.<br>
We use CentOS6 nodes (and engine 3.3.5). The node always sees the
VM's NIC by it's ovirt MAC, even if user changes it from inside
VM.<br>
Now the solution was ebtables (bridge tables). We've set rules on
bridge to public network which drops packets if they don't come
from legit MAC/IP combination. Example:<br>
<br>
-A FORWARD -p IPv4 -s 0:1a:4a:f9:xx:xx --ip-src ! IPADDRofVM -j
DROP<br>
<br>
Any comments on the setup are appriceated.<br>
<pre cols="72">JureKr
</pre><div><div class="h5">
On 06/19/2014 10:23 AM, Punit Dambiwal wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I have setup Ovirt with glusterfs...I have some concern
about the network part....</div>
<div><br>
</div>
<div>1. Is there any way to restrict the Guest VM...so that it
can be assign with single ip address...and in anyhow the user
can not manipulate the IP address from inside the VM (that
means user can not change the ip address inside the VM).</div>
<div><br>
</div>
<div>Thanks,</div>
<div>PunitĀ </div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><div class=""><pre>_______________________________________________
Users mailing list
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a>
</pre>
</div></blockquote>
<br>
</div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div>