8:17 p.m.
--_000_CO2PR0801MB07438A494D4F1A460D97CA52A61F0CO2PR0801MB0743_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Cool. It looks like that works. Perhaps it would be good for oVirt to have =
a few text fields in the nic properties to enter IP addresses into which ca=
n match the rules being used. For example, when enabling the clean-traffic =
filter it appears the VM can only have 1 IP address, even if another IP is =
added legitimately, it still only works with the original IP address.
Something like this: http://i.imgur.com/9BUZRCN.jpg
So essentially, traffic would be blocked on that VM for any other IP space =
other than the IP=92s entered into the text fields, which then edit/work wi=
th the netfilter rules. The idea would be to click =93click to add more=94 =
would add another text field.
From: Edward Haas<mailto:ehaas@redhat.com>
Sent: Thursday, August 4, 2016 3:47 AM
To: Subhendu Ghosh<mailto:sghosh@redhat.com>
Cc: Bill Bill<mailto:jax2568@outlook.com>; users<mailto:users@ovirt.org>
Subject: Re: [ovirt-users] IP Address Stealing
On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <sghosh@redhat.com<mailto:sg=
hosh(a)redhat.com>> wrote:
Not built into ovirt AFAIK, but an ebtables rule can allow you to filter o=
ut mac+ip combinations
Look at the anti-spoofing rules on ebtables.netfilter.org<http://ebtables.n=
etfilter.org>
It doesn't prevent the user adding it in the vm, but the infrastructure blo=
cks it's usage.
________________________________
From: Bill Bill <jax2568@outlook.com<mailto:jax2568@outlook.com>>
Sent: Aug 3, 2016 22:40
To: users@ovirt.org<mailto:users@ovirt.org>
Subject: [ovirt-users] IP Address Stealing
Hello,
It is possible to prevent a VM from adding an IP? For example, if we provis=
ion a VM with one IP, if the user has root access they can simply add rando=
m IP=92s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2=
so on and so forth.
Subnetting is not ideal in this situation because it=92s a huge waste of IP=
space.
In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic=
profile settings).
You can check the clean-traffic filter which uses multiple other more speci=
fic filters.
Ref: https://libvirt.org/formatnwfilter.html
Thanks,
Edy.
_______________________________________________
Users mailing list
Users@ovirt.org<mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users
--_000_CO2PR0801MB07438A494D4F1A460D97CA52A61F0CO2PR0801MB0743_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html;
charset=3DWindows-1=
252">
<meta content=3D"text/html; charset=3Dutf-8">
</head>
<body>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered
medium)">
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:#954F72;
text-decoration:underline}
.MsoChpDefault
{}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.WordSection1
{}
-->
</style>
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Cool. It looks like that works. Perhaps it would be
=
good for oVirt to have a few text fields in the nic properties to enter IP =
addresses into which can match the rules being used. For example, when enab=
ling the clean-traffic filter it appears
the VM can only have 1 IP address, even if another IP is added legitimatel=
y, it still only works with the original IP address.</p>
<p class=3D"MsoNormal"> </p>
<p class=3D"MsoNormal">Something like this: <a
href=3D"http://i.imgur.com/9=
BUZRCN.jpg">
http://i.imgur.com/9BUZRCN.jpg</a></p>
<p class=3D"MsoNormal"> </p>
<p class=3D"MsoNormal">So essentially, traffic would be blocked on that VM
=
for any other IP space other than the IP=92s entered into the text fields, =
which then edit/work with the netfilter rules. The idea would be to click =
=93click to add more=94 would add another
text field. </p>
<p class=3D"MsoNormal"> </p>
<p class=3D"MsoNormal"> </p>
<p class=3D"MsoNormal"><span style=3D"font-size:12.0pt;
font-family:"T=
imes New Roman",serif"> </span></p>
<div style=3D"border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0i=
n 0in 0in">
<p class=3D"MsoNormal" style=3D"border:none;
padding:0in"><b>From: </b><a h=
ref=3D"mailto:ehaas@redhat.com">Edward Haas</a><br>
<b>Sent: </b>Thursday, August 4, 2016 3:47 AM<br>
<b>To: </b><a href=3D"mailto:sghosh@redhat.com">Subhendu
Ghosh</a><br>
<b>Cc: </b><a href=3D"mailto:jax2568@outlook.com">Bill
Bill</a>; <a href=3D=
"mailto:users@ovirt.org">
users</a><br>
<b>Subject: </b>Re: [ovirt-users] IP Address Stealing</p>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:12.0pt;
font-family:"T=
imes New Roman",serif"> </span></p>
</div>
<div>
<div dir=3D"ltr"><br>
<div class=3D"gmail_extra"><br>
<div class=3D"gmail_quote">On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh
<=
span dir=3D"ltr">
<<a href=3D"mailto:sghosh@redhat.com"
target=3D"_blank">sghosh(a)redhat.co=
m</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;
border=
-left:1px solid rgb(204,204,204); padding-left:1ex">
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(31,73,125)">
<div>Not built into ovirt AFAIK, but an ebtables rule can allow you t=
o filter out mac+ip combinations </div>
<div><br>
</div>
<div>Look at the anti-spoofing rules on <a
href=3D"http://ebtables.netfilte=
r.org" target=3D"_blank">
ebtables.netfilter.org</a></div>
<div><br>
</div>
<div>It doesn't prevent the user adding it in the vm, but the infrastructur=
e blocks it's usage.</div>
<div><br>
</div>
</div>
<div>
<div style=3D"clear:both">
<hr style=3D"border:medium none; min-height:1px; color:rgb(225,225,225); ba=
ckground-color:rgb(225,225,225)">
<div style=3D"border:medium none; padding:3pt 0cm 0cm"><span
style=3D"font-=
size:11pt;
font-family:Calibri,Arial,Helvetica,sans-serif"><b>From:</b> Bil=
l Bill <<a href=3D"mailto:jax2568@outlook.com"
target=3D"_blank">jax2568=
@outlook.com</a>><br>
<b>Sent:</b> Aug 3, 2016 22:40<br>
<b>To:</b> <a href=3D"mailto:users@ovirt.org"
target=3D"_blank">users@ovirt=
.org</a><br>
<b>Subject:</b> [ovirt-users] IP Address Stealing<br>
</span></div>
</div>
<span class=3D""><br type=3D"attribution">
<div>
<div>
<p class=3D"MsoNormal">Hello,</p>
<p
class=3D"MsoNormal"><u></u> <u></u></p>
<p class=3D"MsoNormal">It is possible to prevent a VM from adding an IP?
Fo=
r example, if we provision a VM with one IP, if the user has root access th=
ey can simply add random IP=92s from within the same range as sub interface=
s: eth0:0 eth0:1 eth0:2 so on and so
forth.</p>
<p
class=3D"MsoNormal"><u></u> <u></u></p>
<p class=3D"MsoNormal">Subnetting is not ideal in this situation because
it=
=92s a huge waste of IP space.</p>
</div>
</div>
</span></div>
</blockquote>
<div><br>
</div>
In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic=
profile settings).<br>
</div>
<div class=3D"gmail_quote">You can check the clean-traffic filter which
use=
s multiple other more specific filters.<br>
Ref: <a
href=3D"https://libvirt.org/formatnwfilter.html">https://lib...
g/formatnwfilter.html</a><br>
</div>
<div class=3D"gmail_quote">
<div><br>
</div>
<div>Thanks,<br>
</div>
<div>Edy.<br>
<br>
</div>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;
border=
-left:1px solid rgb(204,204,204); padding-left:1ex">
<div><span class=3D"">
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:12pt;
font-family:"Tim=
es New
Roman",serif"><u></u> <u></u></span></p>
</div>
</div>
</span></div>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href=3D"mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href=3D"http://lists.ovirt.org/mailman/listinfo/users"
rel=3D"noreferrer=
"
target=3D"_blank">http://lists.ovirt.org/mailman/listinfo/us...
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</body>
</html>
--_000_CO2PR0801MB07438A494D4F1A460D97CA52A61F0CO2PR0801MB0743_--
