2011-12-02 01:34:36 +00:00
|
|
|
<filter name='clean-traffic' chain='root'>
|
2010-03-25 17:46:13 +00:00
|
|
|
<!-- An example of a traffic filter enforcing clean traffic
|
|
|
|
from a VM by
|
|
|
|
- preventing MAC spoofing -->
|
|
|
|
<filterref filter='no-mac-spoofing'/>
|
|
|
|
|
|
|
|
<!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
|
|
|
|
<filterref filter='no-ip-spoofing'/>
|
2011-12-02 01:34:36 +00:00
|
|
|
|
|
|
|
<rule direction='out' action='accept' priority='-650'>
|
|
|
|
<mac protocolid='ipv4'/>
|
|
|
|
</rule>
|
|
|
|
|
2010-03-25 17:46:13 +00:00
|
|
|
<filterref filter='allow-incoming-ipv4'/>
|
|
|
|
|
|
|
|
<!-- preventing ARP spoofing/poisoning -->
|
|
|
|
<filterref filter='no-arp-spoofing'/>
|
|
|
|
|
2011-12-02 01:34:36 +00:00
|
|
|
<!-- accept all other incoming and outgoing ARP traffic -->
|
|
|
|
<rule action='accept' direction='inout' priority='-500'>
|
|
|
|
<mac protocolid='arp'/>
|
|
|
|
</rule>
|
|
|
|
|
2010-03-25 17:46:13 +00:00
|
|
|
<!-- preventing any other traffic than IPv4 and ARP -->
|
|
|
|
<filterref filter='no-other-l2-traffic'/>
|
|
|
|
|
2010-04-27 18:50:35 +00:00
|
|
|
<!-- allow qemu to send a self-announce upon migration end -->
|
|
|
|
<filterref filter='qemu-announce-self'/>
|
|
|
|
|
2010-03-25 17:46:13 +00:00
|
|
|
</filter>
|