[ovirt-users] Ip spoofing
Sven Kieske
S.Kieske at mittwald.de
Tue Jun 24 11:02:20 UTC 2014
Am 24.06.2014 11:52, schrieb Punit Dambiwal:
> Hi Den,
>
> Thanks for the updates...but still the user can spoof the another ip
> address by manually edit the ifcfg-eth0:0 file....
>
> Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once
> the VM bootup user can login to VM and create another virtual ethernet
> device and add another ip address 10.0.0.6 to this VM....
>
> I want in anyhow the user can not spoof the ip address....either they can
> edit but the new ip address can not boot up(should not active)...
>
> Thanks,
> Punit
>
Imho you can't force the vm to not spin it's inside network interface up
with a certain IP.
What you _can_ (and should) prevent is to allow packets from this
spoofed ip to access your network.
this is, what the filter no-ip-spoofing does, see the docs here:
http://libvirt.org/formatnwfilter.html#nwfexamples
it prevents sending spoofed packages from inside the vm by not allowing
them on the virtual integrated libvirt switch on your host (which runs
the vm).
this might look a little different, depending on your network setup
(bonding, bridges, vlans).
HTH
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
More information about the Users
mailing list