examples/xml/nwfilter/no-arp-spoofing.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

<filter name='no-arp-spoofing' chain='arp'>
   <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
   <rule action='drop' direction='out' priority='300' >
       <mac match='no' srcmacaddr='$MAC'/>
   </rule>

   <!-- no arp spoofing -->
   <!-- drop if ipaddr or macaddr does not belong to guest -->
   <rule action='drop' direction='out' priority='350' >
       <arp match='no' arpsrcmacaddr='$MAC'/>
   </rule>
   <rule action='drop' direction='out' priority='400' >
       <arp match='no' arpsrcipaddr='$IP' />
   </rule>
   <!-- drop if ipaddr or macaddr odes not belong to guest -->
   <rule action='drop' direction='in' priority='450' >
       <arp match='no' arpdstmacaddr='$MAC'/>
       <arp opcode='reply'/>
   </rule>
   <rule action='drop' direction='in' priority='500' >
       <arp match='no' arpdstipaddr='$IP' />
   </rule>
   <!-- accept only request or reply packets -->
   <rule action='accept' direction='inout' priority='600' >
       <arp opcode='request'/>
   </rule>
   <rule action='accept' direction='inout' priority='650' >
       <arp opcode='reply'/>
   </rule>
   <!-- drop everything else -->
   <rule action='drop' direction='inout' priority='1000' />
</filter>