vm-bhyve icon indicating copy to clipboard operation
vm-bhyve copied to clipboard

Published 20 hours ago verified publisher icon churchers

Prevent MAC spoofing

Open mateuszkwiatkowski opened this issue 4 years ago • 0 comments

Hello @churchers,

Currently MAC addresses inside guests can be changed at user's will. This definitely is not optimal security-wise. I figured there're two ways to improve this situation.

  1. Use if_bridge capabilities
ifconfig vm-public static tap0 58:9c:fc:0a:c2:08
ifconfig vm-public -learn tap0
ifconfig vm-public -discover tap0
  1. Use ipfw
IF="tap0"
MAC="58:9c:fc:0a:c2:08"

ipfw add 2000 allow all from any to any mac any $MAC via $IF
ipfw add 2010 allow all from any to any mac $MAC any via $IF

After enabling one of these on hypervisor, changing MAC address in guest results in no connectivity. While the first method is easier to implement in vm-bhyve (here) it's not switch type agnostic. The second one will make vm-bhyve depend on ipfw. On the other hand, it would be required for the next step: preventing IP spoofing. Let me know what do you think about this topic. I'll be happy to prepare pull request with this.

Thanks @pbiernacki and mzar for helping with bridge configuration.

mateuszkwiatkowski avatar May 13 '20 21:05 mateuszkwiatkowski