cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Angus <paul.an...@shapeblue.com>
Subject RE: Filtering DHCP traffic
Date Fri, 09 Aug 2019 06:04:18 GMT
Fariborz,

It's a tricky problem you have.   You could reverse the problem by creating a VM yourself
on that network and seeing what the IP/MAC address is of the DHCP server that gives it an
address is (via the console proxy), then use that to trace the DHCP VM and owner. Then ask
them to 'stop it (or else)'....

Kind regards

Paul


paul.angus@shapeblue.com 
www.shapeblue.com
Amadeus House, Floral Street, London  WC2E 9DPUK
@shapeblue
  
 


-----Original Message-----
From: Ivan Kudryavtsev <kudryavtsev_ia@bw-sw.com> 
Sent: 09 August 2019 03:29
To: users <users@cloudstack.apache.org>
Subject: Re: Filtering DHCP traffic

Even when no SGs used, the agent still creates iptables/ebtables rules and should block mac/ip
spoofing, wrong dhcp announces. Im not sure how it works in the current CS version, but believe
it:

- either local bug which must be investigated thru agent logs and iptables/ebtables dumps

- cs bug which was introduced recently.

We have ancient acs 4.3 with basic zone without sg and no dhcp faking works there. Unfortunately
now all my zones with SGs, so cannot check...

пт, 9 авг. 2019 г., 4:17 Andrija Panic <andrija.panic@gmail.com>:

> Nope, that is the reason security groups should be used in 
> multi-tenant shared network... At least I'm not aware that is possible.
> Not sure if hacking the DB is possible though...
>
> On Thu, 8 Aug 2019, 20:58 Fariborz Navidan, <mdvlinquest@gmail.com> wrote:
>
> > Hello,
> > I have found a user VM who is running a sort of DHCP server i.e. a 
> > VPN server, etc. User VM is on default shared network without 
> > security groups enabled in a Basic zone which does not spport 
> > multiple networks. Is there any way to either enable security groups 
> > on existing network and add rule to stop VMs offer DHCP and prevent 
> > conflicting with VR's DHCP or manually add a firewall rule on VR to filter DHCP
traffic from user VMs?
> >
> > TIA
> >
>
Mime
View raw message