Filter ARP

BelCloud

Renowned Member
Dec 15, 2015
96
5
73
www.belcloud.net
Hello

Is there any way to filter the ARP replies?
Ex: 09:45:12.141931 ARP, Reply xx.xx.xx.xxis-at b2:cb:9f:21:38:a8, length 46

I've had today a customer attempting to use another user's IP. The firewall blocked tcp/udp etc, but he still managed to answer ARP requests making the other customer's IP unusable.

Thanks
 
This is unfortunately currently not available since the firewall currently only configures iptables, not eb/arptables.
It's definitely something we want to add (at the very least in pve5 which has a few more options as to how to do this (switching the firewall over to nftables would be my personal favorite here, but that requires a bit more testing and experimentation)).
 
I'm about to put PM6 into production and would like to address this issue before doing so.
Are there any builds that contain this feature nowdays?
 
I'm about to put PM6 into production and would like to address this issue before doing so.
Are there any builds that contain this feature nowdays?
arp filtering is enabled by default since last year, you just need to have ebtables enabled at datacenter level,
and
for CT, it's take ip address from defined ips
for VM, you need to define ip in an ipset ""ipfilter-netX"
 
  • Like
Reactions: mailinglists
Ah, tnx for the reply spirit.
So I just remove all my firewall rules, tick the ip filter box and add new ipset named ipfilter-netX where X matches net ID from hardware section?
Cool, will try.
 
Well I did what you suggested and it did not work.

I just checked what iptables rules look like on the host and I fund this match:
-A tap100i0-OUT -m set ! --match-set PVEFW-100-ipfilter-net0-v4 src -j DROP
so it seems that ipset is named PVEFW-$VMID-ipfilter-net$NEITD-v4 and not ipfilter-netX.

I'll go and try create such named one now to test and report back.

Whish there existed some better docs for this, something like simple step by step instruction from data center level down to VM to have VM locked to specific IP(sets).
 
  • Like
Reactions: mailinglists
You are correct.

It did not work, because of how it's designed. I have default DROP policy and when such is set, ipfilter does not work correctly.

I decided to go with my firewall rules, which block in both ways (ipfilter does only egres filtering, relying on mac filter) and mac filter.

Works now and arp replys should be filtered:
Code:
ebtables>
-A tap100i0-OUT -s ! d2:42:b5:57:35:3f -j DROP
-A tap100i0-OUT -j ACCEPT
iptables>
-A tap100i0-OUT -m mac ! --mac-source D2:42:B5:57:35:3F -j DROP
 
>> did not work, because of how it's designed. I have default DROP policy and when such is set, ipfilter does not work correctly.
what do you mean by how it's designed ?

Here a sample vm running on my cluster, with default reject

config
Code:
[OPTIONS]

dhcp: 0
log_level_out: info
enable: 1
macfilter: 1
log_level_in: info
policy_in: REJECT
policy_out: REJECT

[IPSET ipfilter-net0]
192.168.0.1

ebtables
Code:
-A PVEFW-FWBR-OUT -i tap982i1 -j tap982i1-OUT
-A tap982i1-OUT -s ! 46:e1:dd:b5:1a:5c -j DROP
-A tap982i1-OUT -p ARP -j tap982i1-OUT-ARP
-A tap982i1-OUT -j ACCEPT
-A tap982i1-OUT-ARP -p ARP --arp-ip-src 192.168.0.1 -j RETURN
-A tap982i1-OUT-ARP -j DROP

iptables
Code:
-A tap982i1-OUT -m mac ! --mac-source 46:E1:DD:B5:1A:5C -j DROP