ipfilter to prevent spoofing

[arcanatigris]

Im trying to configure the IP-filter but so far no luck.

/etc/pve/firewall/102.fw

[IPSET ipfilter-net0]

xx.xx.111.42 # net0

With the above config spoofing is still possible. Am I missing a setting?

 

[spirit]

do you have enabled firewall in the vm and in the vm network interface ?

 

[arcanatigris]

do you have enabled firewall in the vm and in the vm network interface ?

I'm 99% sure that I've read in a thread somewhere that enabling the vm firewall is not a requirement.
However even with the vm firewall on it does let the invalid ip through

 

[spirit]

you need firewall enabled in vm options to get it work. (and firewall enabled on datacenter too)

can you check in

#iptables-save

if you have

-m set ! --match-set $ipfilter_ipset src -j DROP
(where $ipfilter_ipset is the ipset-net0 + vmid, not sure about the syntax)


also, do you have enable firewall in vm options AND on network interface in the vm ?