How to disable mac address change in VM?

U

ufm

Member
Oct 13, 2010
26
0
21
Hi!
I'm not understand how to disable MAC address change in kvm vm (or disable all traffic from vm with wrong mac address).
As I understand, anybody may change mac address in his vm to mac of proxmox node, for example, and create a bunch of problems.

Is it possible to ban traffic when mac address is changed?

WBR,
Fyodor.
 
ufm said:
My mistake. It is not enough to turn on the firewall on a specific VM. It must be enabled on the cluster. After that all worked. Thank.
Click to expand...

Yes, it is a bit counter intuitive to enable the firewall at first.

Does this 'mac filter' setting actually do what you want? So, every MAC-change is blocked if it is enabled and works if the setting is not enabled?
 
LnxBil said:
Yes, it is a bit counter intuitive to enable the firewall at first.

Does this 'mac filter' setting actually do what you want? So, every MAC-change is blocked if it is enabled and works if the setting is not enabled?
Click to expand...
“Intuitively incomprehensible” that I can change settings that do not affect anything. That is, it seems to me that it would be logical to prohibit changing the settings of the local firewall if globally this feature is disabled.

"mac filter" setting work as planned. After enable "mac filter" (approx 10 seconds) - change mac address in VM disable traffic by host iptables rule:
Code: 
Chain tap111i0-OUT (1 references)
target     prot opt source               destination
PVEFW-SET-ACCEPT-MARK  udp  --  anywhere             anywhere            [goto]  udp spt:bootpc dpt:bootps
DROP       all  --  anywhere             anywhere             MAC ! 9E:A1:2F:15:1A:FC
After disable "mac filter" - traffic start pass again.
 
ufm said:
“Intuitively incomprehensible” that I can change settings that do not affect anything. That is, it seems to me that it would be logical to prohibit changing the settings of the local firewall if globally this feature is disabled.
Click to expand...

Yes, that would be much better. You have to enable on too many places. I reread my last answer and I intended to write it like this:

Yes, it is a bit counter intuitive to enable the firewall at at so many places first.​

I have not checked in recent versions, but some versions ago, you could enable it for a VM, on the datacenter and NOT on the card and it'll block everything. That was also a bummer.
 
Sorry for hijacking this.
But is there any way to do Macfiltering for the host too? I only find this for the VMs.
It would be great, if we could disallow the Host to send packets via unknown Mac-Adresses.
thanks
Sascha
 
I would also suggest to implement the filtering not on the node itself - most managed switches have some kind of capacity for access control lists - maybe you can use something like that?
 
Stoiko Ivanov said:
I would also suggest to implement the filtering not on the node itself - most managed switches have some kind of capacity for access control lists - maybe you can use something like that?
Click to expand...
Well, we're talking about Hetzner here, so we have no access to their switches.
I thought that maybe implementing some rule like

iptables -A OUTPUT -i enp4s0 -m mac ! --mac-source AB:AB:AB:AB:AB -j DROP

would be cool.
Just an example of course, this command will not work, as it seems not suitable for OUTPUT.
Thanks
Sascha
 
Hi, sorry for revitalizing this.
We still have these Problems with Hetzner pointing us to unallowed MAC Adresses being registered on their switches.
Still we have not found had a working solution.
Maybe you could help us again?

thanks
Sascha
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back