I am trying to limit users from hijacking other ip’s other than assigned by Opennebula.
- Automatically assign a ip to a VM. Let’s say ip 10.0.0.1
- User want to abuse the system and manually sets the ip in the VM to ip 10.0.0.2 once booted and online
- This new ip 10.0.0.2 is working and reachable(!)
I am using Centos 7 on my Hypervisors and Firewalld for port control/security.
For Virtual Network I use the following config (Bridge + security), see image. Settings network
I am NOT using ‘FILTER = “clean-traffic”’ in my template in this scenario. The problem with this setting is that this prevents hijacking BUT I can’t make a secondary ip reachable…?
Maybe there is a setting that I am not aware of that needs to be set to make FILTER_IP_SPOOFING working?
We really want to use Opennebula, but the ability to hijack ip’s prevents us from using it in production.
Thanks in advance!!