[Users] iptables settings/scripts ovirt 3.3

R P Herrold herrold at owlriver.com
Tue Oct 1 16:42:25 UTC 2013 

On Tue, 1 Oct 2013, Sven Kieske wrote:

> We read about some "vdsm bootstrap script" (e.g. BZ 893680), 
> may this be related?

SvenKieske appeared in the OFTC IRC channel #ovirt with this 
issue, and we discussed it some more

11:41 < SvenKieske> meaning you can't ping compute nodes, this 
is in the default install

11:41 < orc_orc> SvenKieske: * nod * that effect would occur 
with the physdev rule, I think

11:41 < SvenKieske> and I think this default iptables rule is 
just plain useless :)
11:42 < SvenKieske> and prevents proper network debugging, as 
we are having some issues with network related to newest ovirt 
nodes

11:42 < orc_orc> SvenKieske: assumedly you are following a 
guide.  can you point out that URL and the step at which the 
problem is first noticed

and he pointed to the wiki outline at:
 	http://www.ovirt.org/Quick_Start_Guide#Install_oVirt_Node

11:43 < orc_orc> but from a policy POV, it may make sense that 
a node is not reachible until it has had time to become 
hardened

.. and I also pointed out an example of an ICMP fragmantation 
attack and its remdiation in the Red Hat bugzilla

> I don't see why you shouldn't be able to ping the hypervisor in the
> management lan? this is useful for monitoring and network debugging.
>
> ICMP is no danger at all.

and in IRC he there stated

11:45 < SvenKieske> I'm not sure you can harden this node any 
further, as it resides on a read only file system, beside 
that, I can not think of any attack vector via icmp on the 
compute node

11:46 < orc_orc> SvenKieske: there are some ICMP attacks, 
particularly on ipv6 stacks, which can cause machines to fall 
over and die
11:46 < orc_orc> I reported one a while back
11:47 < orc_orc> the packet reassembly code had an unsuspected 
re-construction method with a problem in it

and at that point he concluded that perhaps the ICMP block 
limitation had policy reasons behind it

11:49 < SvenKieske> Well then that's fine with me, but maybe 
the node devs should more focus on reliable network 
configuration and then harden it for security and not the 
other way around, it was just a small nuisance, if network 
setup in 3.3 would work ootb I'd maybe never noticed ping 
doesn't work ootb

to which I can only respond:

11:49 < orc_orc> SvenKieske: sounds like you are saying that 
you need to file an RFE as to debugging tools extensions

or amend the setup documentation

I had a private inquiry about KVM hardening and so had been 
looking at the physdev iptables rules recently, and on a VM 
for which I am responsible an incident just last weekend

11:50 < orc_orc> SvenKieske: I had a person at my office just 
today, who                 was the victim of a TOR attack on a VM

11:50 < orc_orc> so VM's _do_ get scanned for and attacked

... in part we mitigated the attack via a temporary iptables 
rule on the KVM based hypervisor ...

and he closed that he may file something tomorrow.

11:50 < SvenKieske> yeah, might be the way to go, but my 
workday is over now, so maybe tomorrow :)

11:50 < orc_orc> SvenKieske * nod *  don't forget  ;)

11:51 < SvenKieske> I'm all in for more computer security :)
11:51 < SvenKieske> see you!

11:51  * orc_orc waves

I've been working through the setup documentation as well 
since the 3.3 update, and have a list of questions as to the 
wiki materials, as of course bit rot happens in wiki's (heck, 
in _any_ documentation) as new releases are issued

-- Russ herrold




>
> Kind regards
>
> Sven Kieske
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

-- 
--
end
==================================
  .-- -... ---.. ... -.- -.--
Copyright (C) 2013 R P Herrold
       herrold at owlriver.com
    My words are not deathless prose,
       but they are mine.

More information about the Users mailing list