[libvirt-users] IP/MAC antispoof-protection
Jamie Fargen
jfargen at gmail.com
Mon Aug 11 21:55:29 UTC 2014
On Mon, Aug 11, 2014 at 5:38 PM, Anton Gorlov <stalker at altlinux.ru> wrote:
> Hi all.
> What right way to protect ip/mac spoofing for guests withnount dhcp and
> other 1 ip per guest?
>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users at redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
>
Libvirt manages iptables, ebtables, etc via nwfilter. You can add a
filterref to your guest xml. This libvirt documentation covers this topic
<http://Libvirt manages iptables, ebtables, etc via nwfilter. You can add a
filterref to your guest xml. This article covers>. It sounds like you will
want to implement the clean-traffic filter.
>From a similar libvirt document <http://libvirt.org/firewall.html> there is
this reference which sounds like what you want to implement.
"Most of these are just building blocks. The interesting one here is
'clean-traffic'. This pulls together all the building blocks into one
filter that you can then associate with a guest NIC. This stops the most
common bad things a guest might try, IP spoofing, arp spoofing and MAC
spoofing."
Regards,
Jamie Ian Fargen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20140811/aaf725fb/attachment.htm>
More information about the libvirt-users
mailing list