Hello Guys, i'm searching for a simple firewall solution ( deny some ports etc ). It is possibile configure a firewall in the node ? to protect the vm's ? Thanks Lukas
Do you want to protect the VMs or the manager? ----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: users@ovirt.org Sent: Tuesday, June 3, 2014 11:29:23 AM Subject: [ovirt-users] Firewall? Hello Guys, i'm searching for a simple firewall solution ( deny some ports etc ). It is possibile configure a firewall in the node ? to protect the vm's ? Thanks Lukas _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
the vm's thanks Il giorno 03/giu/2014, alle ore 17:39, Maurice James <mjames@media-node.com> ha scritto:
Do you want to protect the VMs or the manager?
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: users@ovirt.org Sent: Tuesday, June 3, 2014 11:29:23 AM Subject: [ovirt-users] Firewall?
Hello Guys,
i'm searching for a simple firewall solution ( deny some ports etc ).
It is possibile configure a firewall in the node ? to protect the vm's ?
Thanks Lukas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
The VM becomes its own system, you will have to enable the firewall on the VM itself. Windows Firewall for Windows clients and Iptables or Firewalld for Linux clients ----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: "Maurice James" <mjames@media-node.com> Cc: users@ovirt.org Sent: Tuesday, June 3, 2014 3:33:10 PM Subject: Re: [ovirt-users] Firewall? the vm's thanks Il giorno 03/giu/2014, alle ore 17:39, Maurice James <mjames@media-node.com> ha scritto:
Do you want to protect the VMs or the manager?
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: users@ovirt.org Sent: Tuesday, June 3, 2014 11:29:23 AM Subject: [ovirt-users] Firewall?
Hello Guys,
i'm searching for a simple firewall solution ( deny some ports etc ).
It is possibile configure a firewall in the node ? to protect the vm's ?
Thanks Lukas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
thanks i know that. :) i'm asking if it is possible manage firewall rules at node level , since node manage networking for VM'S… anyone know that ? thanks Il giorno 04/giu/2014, alle ore 01:15, Maurice James <mjames@media-node.com> ha scritto:
The VM becomes its own system, you will have to enable the firewall on the VM itself. Windows Firewall for Windows clients and Iptables or Firewalld for Linux clients
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: "Maurice James" <mjames@media-node.com> Cc: users@ovirt.org Sent: Tuesday, June 3, 2014 3:33:10 PM Subject: Re: [ovirt-users] Firewall?
the vm's
thanks
Il giorno 03/giu/2014, alle ore 17:39, Maurice James <mjames@media-node.com> ha scritto:
Do you want to protect the VMs or the manager?
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: users@ovirt.org Sent: Tuesday, June 3, 2014 11:29:23 AM Subject: [ovirt-users] Firewall?
Hello Guys,
i'm searching for a simple firewall solution ( deny some ports etc ).
It is possibile configure a firewall in the node ? to protect the vm's ?
Thanks Lukas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
As far as I know the node cannot manage the firewall on the VM, just like the node cannot manage the firewall of another node ----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: "Maurice James" <mjames@media-node.com> Cc: users@ovirt.org Sent: Wednesday, June 4, 2014 1:48:13 AM Subject: Re: [ovirt-users] Firewall? thanks i know that. :) i'm asking if it is possible manage firewall rules at node level , since node manage networking for VM'S… anyone know that ? thanks Il giorno 04/giu/2014, alle ore 01:15, Maurice James <mjames@media-node.com> ha scritto:
The VM becomes its own system, you will have to enable the firewall on the VM itself. Windows Firewall for Windows clients and Iptables or Firewalld for Linux clients
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: "Maurice James" <mjames@media-node.com> Cc: users@ovirt.org Sent: Tuesday, June 3, 2014 3:33:10 PM Subject: Re: [ovirt-users] Firewall?
the vm's
thanks
Il giorno 03/giu/2014, alle ore 17:39, Maurice James <mjames@media-node.com> ha scritto:
Do you want to protect the VMs or the manager?
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: users@ovirt.org Sent: Tuesday, June 3, 2014 11:29:23 AM Subject: [ovirt-users] Firewall?
Hello Guys,
i'm searching for a simple firewall solution ( deny some ports etc ).
It is possibile configure a firewall in the node ? to protect the vm's ?
Thanks Lukas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 06/04/2014 04:08 PM, Maurice James wrote:
As far as I know the node cannot manage the firewall on the VM, just like the node cannot manage the firewall of another node
try the Security Groups support in 3.4 via the neutron integration? http://www.ovirt.org/Features/Detailed_OSN_Integration
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: "Maurice James" <mjames@media-node.com> Cc: users@ovirt.org Sent: Wednesday, June 4, 2014 1:48:13 AM Subject: Re: [ovirt-users] Firewall?
thanks i know that. :)
i'm asking if it is possible manage firewall rules at node level , since node manage networking for VM'S…
anyone know that ?
thanks
Il giorno 04/giu/2014, alle ore 01:15, Maurice James <mjames@media-node.com> ha scritto:
The VM becomes its own system, you will have to enable the firewall on the VM itself. Windows Firewall for Windows clients and Iptables or Firewalld for Linux clients
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: "Maurice James" <mjames@media-node.com> Cc: users@ovirt.org Sent: Tuesday, June 3, 2014 3:33:10 PM Subject: Re: [ovirt-users] Firewall?
the vm's
thanks
Il giorno 03/giu/2014, alle ore 17:39, Maurice James <mjames@media-node.com> ha scritto:
Do you want to protect the VMs or the manager?
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: users@ovirt.org Sent: Tuesday, June 3, 2014 11:29:23 AM Subject: [ovirt-users] Firewall?
Hello Guys,
i'm searching for a simple firewall solution ( deny some ports etc ).
It is possibile configure a firewall in the node ? to protect the vm's ?
Thanks Lukas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
yes i know neutron, but really i don't want a server manage my L3 networks ! :-) :-)) and you ? Il giorno 04/giu/2014, alle ore 22:15, Itamar Heim <iheim@redhat.com> ha scritto:
On 06/04/2014 04:08 PM, Maurice James wrote:
As far as I know the node cannot manage the firewall on the VM, just like the node cannot manage the firewall of another node
try the Security Groups support in 3.4 via the neutron integration? http://www.ovirt.org/Features/Detailed_OSN_Integration
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: "Maurice James" <mjames@media-node.com> Cc: users@ovirt.org Sent: Wednesday, June 4, 2014 1:48:13 AM Subject: Re: [ovirt-users] Firewall?
thanks i know that. :)
i'm asking if it is possible manage firewall rules at node level , since node manage networking for VM'S…
anyone know that ?
thanks
Il giorno 04/giu/2014, alle ore 01:15, Maurice James <mjames@media-node.com> ha scritto:
The VM becomes its own system, you will have to enable the firewall on the VM itself. Windows Firewall for Windows clients and Iptables or Firewalld for Linux clients
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: "Maurice James" <mjames@media-node.com> Cc: users@ovirt.org Sent: Tuesday, June 3, 2014 3:33:10 PM Subject: Re: [ovirt-users] Firewall?
the vm's
thanks
Il giorno 03/giu/2014, alle ore 17:39, Maurice James <mjames@media-node.com> ha scritto:
Do you want to protect the VMs or the manager?
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: users@ovirt.org Sent: Tuesday, June 3, 2014 11:29:23 AM Subject: [ovirt-users] Firewall?
Hello Guys,
i'm searching for a simple firewall solution ( deny some ports etc ).
It is possibile configure a firewall in the node ? to protect the vm's ?
Thanks Lukas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 06/05/2014 08:44 AM, Ovirt User wrote:
yes i know neutron, but really i don't want a server manage my L3 networks ! :-) :-)) and you ?
The security group feature defines iptables rules on the node itself, worth noting that this is not the firewall service in Neutron which is running on the network node with L3 virtual router etc.
Il giorno 04/giu/2014, alle ore 22:15, Itamar Heim <iheim@redhat.com> ha scritto:
On 06/04/2014 04:08 PM, Maurice James wrote:
As far as I know the node cannot manage the firewall on the VM, just like the node cannot manage the firewall of another node
try the Security Groups support in 3.4 via the neutron integration? http://www.ovirt.org/Features/Detailed_OSN_Integration
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: "Maurice James" <mjames@media-node.com> Cc: users@ovirt.org Sent: Wednesday, June 4, 2014 1:48:13 AM Subject: Re: [ovirt-users] Firewall?
thanks i know that. :)
i'm asking if it is possible manage firewall rules at node level , since node manage networking for VM'S…
anyone know that ?
thanks
Il giorno 04/giu/2014, alle ore 01:15, Maurice James <mjames@media-node.com> ha scritto:
The VM becomes its own system, you will have to enable the firewall on the VM itself. Windows Firewall for Windows clients and Iptables or Firewalld for Linux clients
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: "Maurice James" <mjames@media-node.com> Cc: users@ovirt.org Sent: Tuesday, June 3, 2014 3:33:10 PM Subject: Re: [ovirt-users] Firewall?
the vm's
thanks
Il giorno 03/giu/2014, alle ore 17:39, Maurice James <mjames@media-node.com> ha scritto:
Do you want to protect the VMs or the manager?
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: users@ovirt.org Sent: Tuesday, June 3, 2014 11:29:23 AM Subject: [ovirt-users] Firewall?
Hello Guys,
i'm searching for a simple firewall solution ( deny some ports etc ).
It is possibile configure a firewall in the node ? to protect the vm's ?
Thanks Lukas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
you could also do some transparent firewalling using ebtables to drop to iptables, no? -Chris On 6/4/2014 10:44 PM, Ovirt User wrote:
yes i know neutron, but really i don't want a server manage my L3 networks ! :-) :-)) and you ?
Il giorno 04/giu/2014, alle ore 22:15, Itamar Heim <iheim@redhat.com> ha scritto:
As far as I know the node cannot manage the firewall on the VM, just like the node cannot manage the firewall of another node
On 06/04/2014 04:08 PM, Maurice James wrote: try the Security Groups support in 3.4 via the neutron integration? http://www.ovirt.org/Features/Detailed_OSN_Integration
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: "Maurice James" <mjames@media-node.com> Cc: users@ovirt.org Sent: Wednesday, June 4, 2014 1:48:13 AM Subject: Re: [ovirt-users] Firewall?
thanks i know that. :)
i'm asking if it is possible manage firewall rules at node level , since node manage networking for VM'S…
anyone know that ?
thanks
Il giorno 04/giu/2014, alle ore 01:15, Maurice James <mjames@media-node.com> ha scritto:
The VM becomes its own system, you will have to enable the firewall on the VM itself. Windows Firewall for Windows clients and Iptables or Firewalld for Linux clients
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: "Maurice James" <mjames@media-node.com> Cc: users@ovirt.org Sent: Tuesday, June 3, 2014 3:33:10 PM Subject: Re: [ovirt-users] Firewall?
the vm's
thanks
Il giorno 03/giu/2014, alle ore 17:39, Maurice James <mjames@media-node.com> ha scritto:
Do you want to protect the VMs or the manager?
----- Original Message ----- From: "Ovirt User" <ldrt8789@gmail.com> To: users@ovirt.org Sent: Tuesday, June 3, 2014 11:29:23 AM Subject: [ovirt-users] Firewall?
Hello Guys,
i'm searching for a simple firewall solution ( deny some ports etc ).
It is possibile configure a firewall in the node ? to protect the vm's ?
Thanks Lukas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Thanks livnat, but i don't really understand . The security group feature defines iptables rules on the note itself. About that: how can i define security group rules ? and in a cluster, they are automatically propagated al all nodes ? Il giorno 03/giu/2014, alle ore 17:29, Ovirt User <ldrt8789@gmail.com> ha scritto:
Hello Guys,
i'm searching for a simple firewall solution ( deny some ports etc ).
It is possibile configure a firewall in the node ? to protect the vm's ?
Thanks Lukas
On 06/05/2014 09:37 AM, Ovirt User wrote:
Thanks livnat,
but i don't really understand .
The security group feature defines iptables rules on the note itself.
About that: how can i define security group rules ? and in a cluster, they are automatically propagated al all nodes ?
The security group is configured per VM, the rules are configured by the system on the node the VM is running on.
From the user perspective you need to configure a security group policy and then associate the VM with the relevant policy, there is also a default policy to which all VMs are associated by default.
To use this feature you need to use the oVirt-Neutron integration - http://www.ovirt.org/Features/Detailed_OSN_Integration#Security_groups One caveat in this integration is that we did not handle VM migration yet.
Il giorno 03/giu/2014, alle ore 17:29, Ovirt User <ldrt8789@gmail.com> ha scritto:
Hello Guys,
i'm searching for a simple firewall solution ( deny some ports etc ).
It is possibile configure a firewall in the node ? to protect the vm's ?
Thanks Lukas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Thu, Jun 5, 2014 at 10:02 AM, Livnat Peer <lpeer@redhat.com> wrote:
[snip]
The security group is configured per VM, the rules are configured by the system on the node the VM is running on.
From the user perspective you need to configure a security group policy and then associate the VM with the relevant policy, there is also a default policy to which all VMs are associated by default.
To use this feature you need to use the oVirt-Neutron integration - http://www.ovirt.org/Features/Detailed_OSN_Integration#Security_groups
How can I set more than one custom device property? For example in my case when I had to use extnet I lose the security groups one... before [root@tekkaman ovirt-engine]# engine-config -g CustomDeviceProperties CustomDeviceProperties: version: 3.0 CustomDeviceProperties: version: 3.1 CustomDeviceProperties: version: 3.2 CustomDeviceProperties: version: 3.3 CustomDeviceProperties: {type=interface;prop={SecurityGroups=^(?:(?:[0-9a- fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}, *)*[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}|)$}} version: 3.4 then [root@tekkaman ovirt-engine]# engine-config -s CustomDeviceProperties='{type=interface;prop={extnet=^[a-zA-Z0-9_ ---]+$}}' Please select a version: 1. 3.0 2. 3.1 3. 3.2 4. 3.3 5. 3.4 5 after: [root@tekkaman ovirt-engine]# engine-config -g CustomDeviceProperties CustomDeviceProperties: version: 3.0 CustomDeviceProperties: version: 3.1 CustomDeviceProperties: version: 3.2 CustomDeviceProperties: version: 3.3 CustomDeviceProperties: {type=interface;prop={extnet=^[a-zA-Z0-9_ ---]+$}} version: 3.4 # systemctl restart ovirt-engine What is the syntax to add extnet without deleting security groups one? Thanks Gianluca
I'm adding Moti to provide the details On 06/05/2014 11:34 AM, Gianluca Cecchi wrote:
On Thu, Jun 5, 2014 at 10:02 AM, Livnat Peer <lpeer@redhat.com <mailto:lpeer@redhat.com>> wrote:
[snip]
The security group is configured per VM, the rules are configured by the system on the node the VM is running on.
From the user perspective you need to configure a security group policy and then associate the VM with the relevant policy, there is also a default policy to which all VMs are associated by default.
To use this feature you need to use the oVirt-Neutron integration - http://www.ovirt.org/Features/Detailed_OSN_Integration#Security_groups
How can I set more than one custom device property?
For example in my case when I had to use extnet I lose the security groups one...
before [root@tekkaman ovirt-engine]# engine-config -g CustomDeviceProperties CustomDeviceProperties: version: 3.0 CustomDeviceProperties: version: 3.1 CustomDeviceProperties: version: 3.2 CustomDeviceProperties: version: 3.3 CustomDeviceProperties: {type=interface;prop={SecurityGroups=^(?:(?:[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}, *)*[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}|)$}} version: 3.4
then [root@tekkaman ovirt-engine]# engine-config -s CustomDeviceProperties='{type=interface;prop={extnet=^[a-zA-Z0-9_ ---]+$}}' Please select a version: 1. 3.0 2. 3.1 3. 3.2 4. 3.3 5. 3.4 5
after: [root@tekkaman ovirt-engine]# engine-config -g CustomDeviceProperties CustomDeviceProperties: version: 3.0 CustomDeviceProperties: version: 3.1 CustomDeviceProperties: version: 3.2 CustomDeviceProperties: version: 3.3 CustomDeviceProperties: {type=interface;prop={extnet=^[a-zA-Z0-9_ ---]+$}} version: 3.4
# systemctl restart ovirt-engine
What is the syntax to add extnet without deleting security groups one?
Thanks Gianluca
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Livnat Peer" <lpeer@redhat.com> Cc: users@ovirt.org Sent: Thursday, June 5, 2014 11:34:11 AM Subject: Re: [ovirt-users] Firewall?
On Thu, Jun 5, 2014 at 10:02 AM, Livnat Peer < lpeer@redhat.com > wrote:
[snip]
The security group is configured per VM, the rules are configured by the system on the node the VM is running on.
From the user perspective you need to configure a security group policy and then associate the VM with the relevant policy, there is also a default policy to which all VMs are associated by default.
To use this feature you need to use the oVirt-Neutron integration - http://www.ovirt.org/Features/Detailed_OSN_Integration#Security_groups
How can I set more than one custom device property?
For example in my case when I had to use extnet I lose the security groups one...
before [root@tekkaman ovirt-engine]# engine-config -g CustomDeviceProperties CustomDeviceProperties: version: 3.0 CustomDeviceProperties: version: 3.1 CustomDeviceProperties: version: 3.2 CustomDeviceProperties: version: 3.3 CustomDeviceProperties: {type=interface;prop={ SecurityGroups=^(?:(?:[0-9a- fA-F]{8}-(?:[0-9a-fA-F]{4}-){ 3}[0-9a-fA-F]{12}, *)*[0-9a-fA-F]{8}-(?:[0-9a-fA- F]{4}-){3}[0-9a-fA-F]{12}|)$}} version: 3.4
then [root@tekkaman ovirt-engine]# engine-config -s CustomDeviceProperties='{type= interface;prop={extnet=^[a-zA- Z0-9_ ---]+$}}' Please select a version: 1. 3.0 2. 3.1 3. 3.2 4. 3.3 5. 3.4 5
after: [root@tekkaman ovirt-engine]# engine-config -g CustomDeviceProperties CustomDeviceProperties: version: 3.0 CustomDeviceProperties: version: 3.1 CustomDeviceProperties: version: 3.2 CustomDeviceProperties: version: 3.3 CustomDeviceProperties: {type=interface;prop={extnet=^ [a-zA-Z0-9_ ---]+$}} version: 3.4
# systemctl restart ovirt-engine
What is the syntax to add extnet without deleting security groups one?
See example on [1], modified a bit to fit you goal: 1. sudo engine-config -g CustomDeviceProperties --cver 3.4 2. Copy the SecurityGroups into variable PREVIOUS_PROPERTIES i.e. PREVIOUS_PROPERTIES="SecurityGroups=^(?:(?:[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}, *)*[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}|)$" 3. sudo engine-config -s "CustomDeviceProperties={type=interface;prop={$PREVIOUS_PROPERTIES;extnet=^ [a-zA-Z0-9_ ---]+$}}" --cver=3.4 4. Verify: sudo engine-config -g CustomDeviceProperties --cver 3.4 5. Restart ovirt-engine for changes to reload. [1] https://github.com/oVirt/vdsm/tree/master/vdsm_hooks/macspoof
Thanks Gianluca
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
I haven't don e it based on IP but I think you could set separate chains per MAC or 802.1Q VLAN ID.. ebtables -A FORWARD -p IPv4 --ip-dst 172.16.1.4 -s -j DROP or ebtables -A FORWARD -d 00:11:22:33:44:55 -j DROP DROP actually drops to IPTABLES. So, then you just setup iptables normally. This assumes you're running a bridge and watch out for --physdev-in -Chris On 6/5/2014 8:55 AM, Ovirt User wrote:
hi chris,
at node level ?
Il giorno 03/giu/2014, alle ore 17:29, Ovirt User <ldrt8789@gmail.com> ha scritto:
Hello Guys,
i'm searching for a simple firewall solution ( deny some ports etc ).
It is possibile configure a firewall in the node ? to protect the vm's ?
Thanks Lukas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (7)
-
Chris Hunt -
Gianluca Cecchi -
Itamar Heim -
Livnat Peer -
Maurice James -
Moti Asayag -
Ovirt User