GUI IP or CIDR ???

V

Virtualizer

Active Member
Dec 19, 2011
90
5
28
Thats not clear enough: The setting in GUI for an IP will enter in CIDR format. The container get the IP of the CIDR ok. Protect the ipfilter then the IP or the CIDR? So, can the container-admin change the IP (spoofing) into an other IP into same CIDR?

When we have IP-blocks, we give one IP to the container, we like in format 123.123.256.100/32 - but in diferent OS, expl. centos, they not work then via the gateway, so we must change and enter the devisor of the complete ipblock, expl. 123.123.256.100/27! But what the ipfilter check? Check the ipfilter now the CIDR, so control, that the ip is in 123.123.256.100 ... 132 ? When it´s so, then the container admin can change the ip in the container! Ok, when so, we must manual set an extra ipfilter (ipfilter-eth0) rule ?

Then the other question is, when the ipfilter checks otherwise only the ip and not the cidr, then it´s not possible set an ipblock to the container - expl. use many ips of the block in the container! What is right now?
 
I think you need to create a firewall output rule to discard all packages not matching your IP. I was not able to block it in my tests by ordinary firewall settings on the options menu. This could be a bug or a wanted feature.

I really think there should be an automatic rule to enforce the IP somehow - or block anything else. It is done for the MAC address, but not the IP itself.
 
So again, then proxmox set realy set CIDR, so as when then container get an IP-Block?!
Again there are 2 IPFilters, the standard in Container -> Firewall -> Options, so possible only control the IP-Block.
But what is with Container -> Firewall -> IPSet -> ipfilter-eth0 -> IP: single IP without devisor or expl. with devisor /32

And when this both not filter this, then this a hard SECURITY BUG !!!
 
Example:

CT100 get 123.123.256.100/27
CT203 get 123.123.256.101/27

Ant the both can spoof all the IP-addresses in this IP-Block !!!
 
Yes, I tried that too and I think this is a real problem. Even a unprivileged container can change it. You can IMHO fix this by enforcing capabilities on the lxc, but I ended up without any IP. I tried

Code: 
lxc.cap.drop: net_admin

There must be another way to do this. @dietmar ?
 
But this can been a problem too with privileged container, why the container admin can change too their network settings!
 
LnxBil said:
Yes, I tried that too and I think this is a real problem. Even a unprivileged container can change it. You can IMHO fix this by enforcing capabilities on the lxc, but I ended up without any IP. I tried

Code: 
lxc.cap.drop: net_admin

There must be another way to do this. @dietmar ?
Click to expand...

I don't think dropping this capability is possible - we need it for configuring the network after all. AFAIK you can only limit the access further on the firewall level, but there is no automatic support (yet), like you described. In the simple case, you can just configure the container with /32. For the case you describe in this thread, you basically tell PVE "this container has an interface for the following subnet", so that's what it gets.
 
fabian said:
I don't think dropping this capability is possible - we need it for configuring the network after all.
Click to expand...

Yes, of course it's needed. I just wanted to try if it helps somehow. This discussed problem is not Proxmox VE specific, so there should be a default way of achieving the goal directly, shouldn't it?

fabian said:
AFAIK you can only limit the access further on the firewall level, but there is no automatic support (yet), like you described. In the simple case, you can just configure the container with /32. For the case you describe in this thread, you basically tell PVE "this container has an interface for the following subnet", so that's what it gets.
Click to expand...

I tried again and I have a configuration now that works with respect to a changed IP. Afterwards I will not be able to ping outside. (enabled all firewalls and enabled ip filter).

I found out that it will not work anymore, but I do not understand how the ipfilter stuff works. Could you elaborate?

I have now a working configuration:

Code: 
root@proxmox:~# pct stop 101

root@proxmox:~# pct start 101

root@proxmox:~# iptables -Z veth101i0-OUT

root@proxmox:~# iptables -vnL veth101i0-OUT
Chain veth101i0-OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 PVEFW-SET-ACCEPT-MARK  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  udp spt:68 dpt:67
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC ! D6:2B:55:7B:6E:F5
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set PVEFW-101-ipfilter-net0-v4 src
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0x7fffffff
    0     0 PVEFW-SET-ACCEPT-MARK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:bYG3HITIonxGkjTFfxglwrzmgKs */

root@proxmox:~# pct exec 101 ping -- -c 4 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=1.285 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=0.558 ms
64 bytes from 192.168.1.1: seq=2 ttl=64 time=0.568 ms
64 bytes from 192.168.1.1: seq=3 ttl=64 time=0.588 ms

--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.558/0.749/1.285 ms

root@proxmox:~# iptables -vnL veth101i0-OUT
Chain veth101i0-OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 PVEFW-SET-ACCEPT-MARK  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  udp spt:68 dpt:67
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC ! D6:2B:55:7B:6E:F5
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set PVEFW-101-ipfilter-net0-v4 src
    1    84 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0x7fffffff
    1    84 PVEFW-SET-ACCEPT-MARK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:bYG3HITIonxGkjTFfxglwrzmgKs */

root@proxmox:~# pct exec 101 ifconfig eth0
eth0      Link encap:Ethernet  HWaddr D6:2B:55:7B:6E:F5
          inet addr:192.168.1.111  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: 2003:c8:43c4:5c00:d42b:55ff:fe7b:6ef5%32731/64 Scope:Global
          inet6 addr: fe80::d42b:55ff:fe7b:6ef5%32731/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:678 (678.0 B)  TX bytes:1062 (1.0 KiB)

root@proxmox:~# pct exec 101 ifconfig eth0 192.168.1.112

root@proxmox:~# pct exec 101 ping -- -c 4 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes

--- 192.168.1.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

root@proxmox:~# iptables -vnL veth101i0-OUT
Chain veth101i0-OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 PVEFW-SET-ACCEPT-MARK  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  udp spt:68 dpt:67
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC ! D6:2B:55:7B:6E:F5
    4   336 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set PVEFW-101-ipfilter-net0-v4 src
    1    84 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0x7fffffff
    1    84 PVEFW-SET-ACCEPT-MARK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:bYG3HITIonxGkjTFfxglwrzmgKs */

So the PVEFW-101-ipfilter-net0-v4 rule matches and the packages are dropped.
 
Here the used configuration:

Code: 
root@proxmox:~# cat /etc/pve/firewall/101.fw
[OPTIONS]

ipfilter: 1
enable: 1

root@proxmox:~# cat /etc/pve/lxc/101.conf
arch: amd64
cmode: console
cores: 1
hostname: test
memory: 512
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,hwaddr=D6:2B:55:7B:6E:F5,ip=192.168.1.111/24,type=veth
ostype: alpine
rootfs: local-zfs:subvol-101-disk-1,size=8G
swap: 512
tty: 0
 
I thing so, thats a bug and it´s strange, why the security is no given! I feel it better, that their is in the container network settings is a checkbox for IP-Block - otherwise is a single IP, equal the settings of the IP in form of the CIDR! About this, when the checkbox IP-Block is not selected, proxmox use the IP without the devisor for the ip-filter (same IP/32), but the interface get the settings, as entered, expl. /27! When IP-Block is enabled, then only the ipfilter filters not on the single ip, they filter on the complete cidir! So, then with the implementation is all easy and correct and secure!

Expl. container-setting

123.123.257.10/24 - ipblock off: ipfilter works now on single IP 123.123.257.10/32 but interface get the settings 123.123.257.10/24
123.123.257.10/24 - ipblock on: ipfilter works on ipblock 123.123.257.10/24 and interface get the settings 123.123.257.10/24
123.123.257.10/32 - ipblock on: ipfilter works on ipblock: 123.123.257.10/32 and interface get the settings 123.123.257.10/32
 
Last edited:
Virtualizer said:
I thing so, thats a bug and it´s strange, why the security is no given! I feel it better, that their is in the container network settings is a checkbox for IP-Block - otherwise is a single IP, equal the settings of the IP in form of the CIDR! About this, when the checkbox IP-Block is not selected, proxmox use the IP without the devisor for the ip-filter (same IP/32), but the interface get the settings, as entered, expl. /27! When IP-Block is enabled, then only the ipfilter filters not on the single ip, they filter on the complete cidir! So, then with the implementation is all easy and correct and secure!

Expl. container-setting

123.123.257.10/24 - ipblock off: ipfilter works now on single IP 123.123.257.10/32 but interface get the settings 123.123.257.10/24
123.123.257.10/24 - ipblock on: ipfilter works on ipblock 123.123.257.10/24 and interface get the settings 123.123.257.10/24
123.123.257.10/32 - ipblock on: ipfilter works on ipblock: 123.123.257.10/32 and interface get the settings 123.123.257.10/32
Click to expand...

please file a feature request at bugzilla.proxmox.com
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back