Hello, I did a small research relatively ipset filtering for LXC containers and it turns out that using a standard ipfilter-net* set matching IP/interfaces doesn't filter external IPv4 traffic very well, when it is going out from an IP not defined in set.
For example we can create interface net0 with IP address 1.1.1.5, enable firewall for interface, enable firewall in VM options and create ipfilter-net0 IPset and add the IP on it. Now start the VM and change the IP address of a VM to 1.1.1.6 (inside a VM of course) and we will have outgoing traffic restricted (while inbound is still going on, as described in docs), so everything seem to work as supposed; Now try to bind a port with netcat on a VM (nc -v -l -p 9999) and connect to IP 1.1.1.6 from an external peer - we will have connection accepted by VM but no data will be transmitted. Now wait 10-20 seconds on that keep-alive connection and try to send some data from that session - the data will be received on the peer host, thus, spoofing is possible!
Although, for IPv6 it works fine (and even inbound traffic is blocked).
Also, there is another issue, ipfilter-net* set filters outgoing traffic, but doesn't filter ARP requests/responses. For example a router for that VM will still have something like:
22:42:33.652657 ARP, Reply 1.1.1.6 is-at 66:5a:23:0f:d9:33 (oui Unknown), length 28
Where 66:5a:23:0f:d9:33 is the MAC address of our VM, thus if we assign this IP address on another VM with same filtering, we will have our network messed up.
As you can see this behaviour can be considered a security flaw, does it have a purpose or it's just a bug?
For example we can create interface net0 with IP address 1.1.1.5, enable firewall for interface, enable firewall in VM options and create ipfilter-net0 IPset and add the IP on it. Now start the VM and change the IP address of a VM to 1.1.1.6 (inside a VM of course) and we will have outgoing traffic restricted (while inbound is still going on, as described in docs), so everything seem to work as supposed; Now try to bind a port with netcat on a VM (nc -v -l -p 9999) and connect to IP 1.1.1.6 from an external peer - we will have connection accepted by VM but no data will be transmitted. Now wait 10-20 seconds on that keep-alive connection and try to send some data from that session - the data will be received on the peer host, thus, spoofing is possible!
Although, for IPv6 it works fine (and even inbound traffic is blocked).
Also, there is another issue, ipfilter-net* set filters outgoing traffic, but doesn't filter ARP requests/responses. For example a router for that VM will still have something like:
22:42:33.652657 ARP, Reply 1.1.1.6 is-at 66:5a:23:0f:d9:33 (oui Unknown), length 28
Where 66:5a:23:0f:d9:33 is the MAC address of our VM, thus if we assign this IP address on another VM with same filtering, we will have our network messed up.
As you can see this behaviour can be considered a security flaw, does it have a purpose or it's just a bug?
Last edited: