blob: c6c858dad08a25b783cafb24b1a7797f6a7efacb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
<filter name='no-arp-spoofing' chain='arp'>
<uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
<rule action='drop' direction='out' priority='300' >
<mac match='no' srcmacaddr='$MAC'/>
</rule>
<!-- no arp spoofing -->
<!-- drop if ipaddr or macaddr does not belong to guest -->
<rule action='drop' direction='out' priority='350' >
<arp match='no' arpsrcmacaddr='$MAC'/>
</rule>
<rule action='drop' direction='out' priority='400' >
<arp match='no' arpsrcipaddr='$IP' />
</rule>
<!-- drop if ipaddr or macaddr odes not belong to guest -->
<rule action='drop' direction='in' priority='450' >
<arp match='no' arpdstmacaddr='$MAC'/>
<arp opcode='reply'/>
</rule>
<rule action='drop' direction='in' priority='500' >
<arp match='no' arpdstipaddr='$IP' />
</rule>
<!-- accept only request or reply packets -->
<rule action='accept' direction='inout' priority='600' >
<arp opcode='request'/>
</rule>
<rule action='accept' direction='inout' priority='650' >
<arp opcode='reply'/>
</rule>
<!-- drop everything else -->
<rule action='drop' direction='inout' priority='1000' />
</filter>
|