[Users] iptables settings/scripts ovirt 3.3
R P Herrold
herrold at owlriver.com
Tue Oct 1 16:42:25 UTC 2013
On Tue, 1 Oct 2013, Sven Kieske wrote:
> We read about some "vdsm bootstrap script" (e.g. BZ 893680),
> may this be related?
SvenKieske appeared in the OFTC IRC channel #ovirt with this
issue, and we discussed it some more
11:41 < SvenKieske> meaning you can't ping compute nodes, this
is in the default install
11:41 < orc_orc> SvenKieske: * nod * that effect would occur
with the physdev rule, I think
11:41 < SvenKieske> and I think this default iptables rule is
just plain useless :)
11:42 < SvenKieske> and prevents proper network debugging, as
we are having some issues with network related to newest ovirt
nodes
11:42 < orc_orc> SvenKieske: assumedly you are following a
guide. can you point out that URL and the step at which the
problem is first noticed
and he pointed to the wiki outline at:
http://www.ovirt.org/Quick_Start_Guide#Install_oVirt_Node
11:43 < orc_orc> but from a policy POV, it may make sense that
a node is not reachible until it has had time to become
hardened
.. and I also pointed out an example of an ICMP fragmantation
attack and its remdiation in the Red Hat bugzilla
> I don't see why you shouldn't be able to ping the hypervisor in the
> management lan? this is useful for monitoring and network debugging.
>
> ICMP is no danger at all.
and in IRC he there stated
11:45 < SvenKieske> I'm not sure you can harden this node any
further, as it resides on a read only file system, beside
that, I can not think of any attack vector via icmp on the
compute node
11:46 < orc_orc> SvenKieske: there are some ICMP attacks,
particularly on ipv6 stacks, which can cause machines to fall
over and die
11:46 < orc_orc> I reported one a while back
11:47 < orc_orc> the packet reassembly code had an unsuspected
re-construction method with a problem in it
and at that point he concluded that perhaps the ICMP block
limitation had policy reasons behind it
11:49 < SvenKieske> Well then that's fine with me, but maybe
the node devs should more focus on reliable network
configuration and then harden it for security and not the
other way around, it was just a small nuisance, if network
setup in 3.3 would work ootb I'd maybe never noticed ping
doesn't work ootb
to which I can only respond:
11:49 < orc_orc> SvenKieske: sounds like you are saying that
you need to file an RFE as to debugging tools extensions
or amend the setup documentation
I had a private inquiry about KVM hardening and so had been
looking at the physdev iptables rules recently, and on a VM
for which I am responsible an incident just last weekend
11:50 < orc_orc> SvenKieske: I had a person at my office just
today, who was the victim of a TOR attack on a VM
11:50 < orc_orc> so VM's _do_ get scanned for and attacked
... in part we mitigated the attack via a temporary iptables
rule on the KVM based hypervisor ...
and he closed that he may file something tomorrow.
11:50 < SvenKieske> yeah, might be the way to go, but my
workday is over now, so maybe tomorrow :)
11:50 < orc_orc> SvenKieske * nod * don't forget ;)
11:51 < SvenKieske> I'm all in for more computer security :)
11:51 < SvenKieske> see you!
11:51 * orc_orc waves
I've been working through the setup documentation as well
since the 3.3 update, and have a list of questions as to the
wiki materials, as of course bit rot happens in wiki's (heck,
in _any_ documentation) as new releases are issued
-- Russ herrold
>
> Kind regards
>
> Sven Kieske
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
--
--
end
==================================
.-- -... ---.. ... -.- -.--
Copyright (C) 2013 R P Herrold
herrold at owlriver.com
My words are not deathless prose,
but they are mine.
More information about the Users
mailing list