Advice in the Simple zone setup wiki & DHCP Guard

[esi_y]

I am not really familiar with PVE firewall solution, so it might be that I do not know something that I do not know, but I found this guide [1] from @shanreich on Simple zone with SNAT & DHCP setup.

What I found odd was this part:

For the DNS rule, you should additionally set the destination address to the gateway of the network. This allows only DNS traffic for the dnsmasq server. If you don't set it all DNS traffic will be allowed, which could be used to circumvent other firewall rules. DHCP cannot be restricted in the same manner, as it needs to be able to issue a broadcast message at first. Finally, mark both as enabled and save the rules. See the below screenshots for more information.

Actually, there is two pieces which I can't comprehend:

1. How can restricting DNS "could be used to circumvent other firewall rules", also, why not DNAT it then?

But the more important yet:

2. How come DHCP is not much more of a concern, I absolutely would want to DROP the frames on the FORWARD chain with ebtables as any other firewall rules then based on e.g. IP are completely futile.

Related / resulting question:

Should PVE provide simple "DHCP guard" option for this?

[1] https://pve.proxmox.com/wiki/Setup_Simple_Zone_With_SNAT_and_DHCP

 

[shanreich]

2. How come DHCP is not much more of a concern, I absolutely would want to DROP the frames on the FORWARD chain with ebtables as any other firewall rules then based on e.g. IP are completely futile.

You cannot abuse DHCP for tunneling, there's only potential for MitM attacks. But those can be safeguarded against by disallowing DHCP server traffic from any non-host port (see below). There is also the IP Filter option, preventing a VM from sending IP traffic with IPs other than the one configured. In a future patch I will integrate this with the IPAM, automatically populating that option from the IPs set in the IPAM.

Should PVE provide simple "DHCP guard" option for this?

Not sure I 100% understand what you mean by DHCP guard, but there is an option in the Firewall Options for a guest to filter outgoing DHCP server traffic.


edit: DNS part was nonsense, I'll respond later when I have more time

 

[esi_y]

Not sure I 100% understand what you mean by DHCP guard, but there is an option in the Firewall Options for a guest to filter outgoing DHCP server traffic.

So that I do not use some proprietary [1] meaning for the term (EDIT: see the "IP source guard" there, however), let's say at least RFC7610 [2] and for IPv6 also RFC6105 (though not DHCP per se, same problem).

[1] https://www.cisco.com/c/en/us/td/do...-2/31sga/configuration/guide/config/dhcp.html
[2] https://datatracker.ietf.org/doc/html/rfc7610
[3] https://datatracker.ietf.org/doc/html/rfc6105

 

[shanreich]

Yes, something similar is effectively implemented by the IP FIltering (IP Source guard as per the Cisco documentation) option. Currently we have no way for users to filter on the forward chain, but this will change very soon [1]. This should then also cover DHCP (since it is layer 4 and therefore configurable via custom rules in the Firewall UI). We do not expose the option to configure source / destination mac address though. The most important protocols (DHCP, NDP) should be covered by the firewall options we expose.

We also have something like DHCP guard for NDP traffic. You can check out the skeleton ruleset for proxmox-firewall which includes the respective chains [2].

[1] https://lore.proxmox.com/pve-devel/20240911152233.a5e6vlxh3xino3m7@luna.proxmox.com/T/#t
[2] https://git.proxmox.com/?p=proxmox-...350c5e9aaf3c5fa59ed8695da8cef170;hb=HEAD#l261

edit: as an additional help, all options are documented in the Firewall article in the Wiki [3]

[3] https://pve.proxmox.com/wiki/Firewall

 

[esi_y]

Yes, something similar is effectively implemented by the IP FIltering (IP Source guard as per the Cisco documentation) option. Currently we have no way for users to filter on the forward chain, but this will change very soon [1].

Oh, so it's actively being worked on, thanks for the reference.

This should then also cover DHCP (since it is layer 4 and therefore configurable via custom rules in the Firewall UI). We do not expose the option to configure source / destination mac address though. The most important protocols (DHCP, NDP) should be covered by the firewall options we expose.

(Disclaimer: Maybe I should try it all well out myself before commenting, I literally just came from the zone guide. Back when I looked at firewall options in PVE originally about a year ago, it felt like I will leave it for separate equipment.)

On DHCPv4 (back to the zone guide), I believe there's a big difference between blocking something from guests individually and having firewall solution actively snooping and taking initiative, i.e. from user standpoint I may want to e.g. NOT have NAT + DHCP done by the hypervisor, but one of the guests (for the other guests), or separate physical host that will be on that bridge. On that level, I would want the hypervisor to make sure that should there be a rogue DHCP server (anywhere really), my guests will never hear from it. And that as some single option not specific to each guest.