Are there any downsides to enforcing that the interface can only be used for the dhcp service?—
Sent from Mailbox
On Fri, May 30, 2014 at 12:42 PM, Bryan D. Payne <email address hidden> wrote:
> It seems to me that people should be deploying nodes such that this
> interface isn't used for anything other than the instance's dhcp
> service. I suspect that many people are already doing this, but perhaps
> it isn't obvious that it is a necessary step for security reasons?
> --
> You received this bug notification because you are a member of OpenStack
> Security Group, which is subscribed to OpenStack.
> https://bugs.launchpad.net/bugs/1316271
> Title:
> Network Security: VM hosts can SSH to compute node
> Status in OpenStack Compute (Nova):
> New
> Status in OpenStack Security Advisories:
> Incomplete
> Bug description:
> Hi guys,
> We're still using nova-network and we'll be using it for a while
> and we noticed that the VM guests can contact the compute nodes on all
> ports ... The one we're the most preoccupied with is SSH. We've
> written the following patch in order to isolate the VM guests from the
> VM hosts.
> --- linux_net.py.orig 2014-05-05 17:25:10.171746968 +0000
> +++ linux_net.py 2014-05-05 18:42:54.569209220 +0000
> @@ -805,6 +805,24 @@
>
> @utils.synchronized('lock_gateway', external=True)
> +def isolate_compute_from_guest(network_ref):
> + if not network_ref:
> + return
> +
> + iptables_manager.ipv4['filter'].add_rule('INPUT',
> + '-p tcp -d %s --dport 8775 '
> + '-j ACCEPT' % network_ref['dhcp_server'])
> + iptables_manager.ipv4['filter'].add_rule('FORWARD',
> + '-p tcp -d %s --dport 8775 '
> + '-j ACCEPT' % network_ref['dhcp_server'])
> + iptables_manager.ipv4['filter'].add_rule('INPUT',
> + '-d %s '
> + '-j DROP' % network_ref['dhcp_server'])
> + iptables_manager.ipv4['filter'].add_rule('FORWARD',
> + '-d %s '
> + '-j DROP' % network_ref['dhcp_server'])
> + iptables_manager.apply()
> +
> def initialize_gateway_device(dev, network_ref):
> if not network_ref:
> return
> @@ -1046,6 +1064,7 @@
> try:
> _execute('kill', '-HUP', pid, run_as_root=True)
> _add_dnsmasq_accept_rules(dev)
> + isolate_compute_from_guest(network_ref)
> return
> except Exception as exc: # pylint: disable=W0703
> LOG.error(_('Hupping dnsmasq threw %s'), exc)
> @@ -1098,6 +1117,7 @@
> _add_dnsmasq_accept_rules(dev)
> + isolate_compute_from_guest(network_ref)
> @utils.synchronized('radvd_start')
> def update_ra(context, dev, network_ref):
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions
> _______________________________________________
> Openstack-security mailing list
> <email address hidden>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
Are there any downsides to enforcing that the interface can only be used for the dhcp service?—
Sent from Mailbox
On Fri, May 30, 2014 at 12:42 PM, Bryan D. Payne <email address hidden> wrote:
> It seems to me that people should be deploying nodes such that this /bugs.launchpad .net/bugs/ 1316271 synchronized( 'lock_gateway' , external=True) compute_ from_guest( network_ ref): manager. ipv4['filter' ].add_rule( 'INPUT' , ref['dhcp_ server' ]) manager. ipv4['filter' ].add_rule( 'FORWARD' , ref['dhcp_ server' ]) manager. ipv4['filter' ].add_rule( 'INPUT' , ref['dhcp_ server' ]) manager. ipv4['filter' ].add_rule( 'FORWARD' , ref['dhcp_ server' ]) manager. apply() gateway_ device( dev, network_ref): accept_ rules(dev) compute_ from_guest( network_ ref) _('Hupping dnsmasq threw %s'), exc) accept_ rules(dev) compute_ from_guest( network_ ref) synchronized( 'radvd_ start') /bugs.launchpad .net/nova/ +bug/1316271/ +subscriptions _______ _______ _______ _______ _______ _____ lists.openstack .org/cgi- bin/mailman/ listinfo/ openstack- security
> interface isn't used for anything other than the instance's dhcp
> service. I suspect that many people are already doing this, but perhaps
> it isn't obvious that it is a necessary step for security reasons?
> --
> You received this bug notification because you are a member of OpenStack
> Security Group, which is subscribed to OpenStack.
> https:/
> Title:
> Network Security: VM hosts can SSH to compute node
> Status in OpenStack Compute (Nova):
> New
> Status in OpenStack Security Advisories:
> Incomplete
> Bug description:
> Hi guys,
> We're still using nova-network and we'll be using it for a while
> and we noticed that the VM guests can contact the compute nodes on all
> ports ... The one we're the most preoccupied with is SSH. We've
> written the following patch in order to isolate the VM guests from the
> VM hosts.
> --- linux_net.py.orig 2014-05-05 17:25:10.171746968 +0000
> +++ linux_net.py 2014-05-05 18:42:54.569209220 +0000
> @@ -805,6 +805,24 @@
>
> @utils.
> +def isolate_
> + if not network_ref:
> + return
> +
> + iptables_
> + '-p tcp -d %s --dport 8775 '
> + '-j ACCEPT' % network_
> + iptables_
> + '-p tcp -d %s --dport 8775 '
> + '-j ACCEPT' % network_
> + iptables_
> + '-d %s '
> + '-j DROP' % network_
> + iptables_
> + '-d %s '
> + '-j DROP' % network_
> + iptables_
> +
> def initialize_
> if not network_ref:
> return
> @@ -1046,6 +1064,7 @@
> try:
> _execute('kill', '-HUP', pid, run_as_root=True)
> _add_dnsmasq_
> + isolate_
> return
> except Exception as exc: # pylint: disable=W0703
> LOG.error(
> @@ -1098,6 +1117,7 @@
> _add_dnsmasq_
> + isolate_
> @utils.
> def update_ra(context, dev, network_ref):
> To manage notifications about this bug go to:
> https:/
> _______
> Openstack-security mailing list
> <email address hidden>
> http://