ipfilter to prevent spoofing

Discussion in 'Proxmox VE: Networking and Firewall' started by arcanatigris, Nov 2, 2018.

  1. arcanatigris

    arcanatigris New Member

    Joined:
    Dec 1, 2016
    Messages:
    7
    Likes Received:
    1
    Im trying to configure the IP-filter but so far no luck.

    /etc/pve/firewall/102.fw
    Code:
    [IPSET ipfilter-net0]
    
    xx.xx.111.42 # net0
    With the above config spoofing is still possible. Am I missing a setting?
     
  2. spirit

    spirit Well-Known Member
    Proxmox VE Subscriber

    Joined:
    Apr 2, 2010
    Messages:
    3,158
    Likes Received:
    106
    do you have enabled firewall in the vm and in the vm network interface ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. arcanatigris

    arcanatigris New Member

    Joined:
    Dec 1, 2016
    Messages:
    7
    Likes Received:
    1
    I'm 99% sure that I've read in a thread somewhere that enabling the vm firewall is not a requirement.
    However even with the vm firewall on it does let the invalid ip through
     
  4. spirit

    spirit Well-Known Member
    Proxmox VE Subscriber

    Joined:
    Apr 2, 2010
    Messages:
    3,158
    Likes Received:
    106
    you need firewall enabled in vm options to get it work. (and firewall enabled on datacenter too)

    can you check in

    #iptables-save

    if you have

    -m set ! --match-set $ipfilter_ipset src -j DROP
    (where $ipfilter_ipset is the ipset-net0 + vmid, not sure about the syntax)


    also, do you have enable firewall in vm options AND on network interface in the vm ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice