<div dir="ltr"><div>I forgot to comment</div><div><br></div><div>It is a public network (Public IP)</div><div><br></div><div>I have 2 servers and 1 router</div><div>I hired a "IP block" that can be accessed through the router</div><div><br></div><div>For example:</div><div><br></div><div>Network: <a href="http://165.112.12.112/28">165.112.12.112/28</a></div><div>IPs: 165.112.12.113 - 167.114.12.125</div><div>Gateway: 165.112.12.126 (router)</div><div><br></div><div>I provide to my client a public IP directly in VM</div><div><br></div><div>I want to prevent a customer responds by another customer</div><div>or take another ip available for himself</div><div><br></div><div>----</div><div><br></div><div>Since that my client has access to the "User Portal"</div><div>The "clean-traffic" filter will prevent it change the ip when it shut down and restart the VM?</div><div><br></div><div>Thanks,<br></div><div>André</div><div class="gmail_extra"><br><div class="gmail_quote">2016-09-13 5:57 GMT-03:00 Marcin Mirecki <span dir="ltr"><<a href="mailto:mmirecki@redhat.com" target="_blank">mmirecki@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi André,<br>
<br>
The best separation would be providing a separate network for each customer.<br>
This way you could protect them from other malicious users on your internal networks.<br>
Please describe your env in some more detail.<br>
<br>
Thanks,<br>
Marcin<br>
<div><div class="gmail-h5"><br>
<br>
<br>
----- Original Message -----<br>
> From: "André Gustavo" <<a href="mailto:andre@andregustavo.org">andre@andregustavo.org</a>><br>
> To: <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> Sent: Monday, September 12, 2016 8:33:40 PM<br>
> Subject: [ovirt-users] Associate IP addresses to MAC addresses (anti-spoofing rules)<br>
><br>
> Aloha,<br>
><br>
> I'm using oVirt 4 in my hosting.<br>
><br>
> However, easily a customer can change the IP to another client (IP spoofing)<br>
><br>
> In vNIC profiles, altered Network Filter<br>
> from "VDSM-on-mac-spoofing" to "no-ip-spoofing"<br>
><br>
> It worked partially, but if the client power off 'vm' and turn on the 'vm',<br>
> he can perform the change in IP<br>
><br>
> I tried to use eptables, but also had problems<br>
> <a href="http://ebtables.netfilter.org/examples/basic.html#ex_anti-spoof" rel="noreferrer" target="_blank">http://ebtables.netfilter.org/<wbr>examples/basic.html#ex_anti-<wbr>spoof</a><br>
><br>
><br>
> What is the best option?<br>
><br>
><br>
> --<br>
> ---<br>
> André Gustavo Timermann<br>
> Curitiba/PR - Brasil<br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> Users mailing list<br>
> <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div>---</div>André Gustavo Timermann</div>
</div></div>