WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] promiscuous mode?

To: John Babwell <johnbabwell@xxxxxxxxxxx>
Subject: Re: [Xen-devel] promiscuous mode?
From: Steven Hand <Steven.Hand@xxxxxxxxxxxx>
Date: Fri, 13 Aug 2004 20:16:13 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 13 Aug 2004 20:19:04 +0100
Envelope-to: steven.hand@xxxxxxxxxxxx
In-reply-to: Your message of "Fri, 13 Aug 2004 13:54:44 CDT." <20040813135444.261f77ad@prana-bindu>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
> Hi, I am just getting set up with Xen-devel, and am impressed!  (I don't
> have a domain starting yet, but am booting into a modified Gentoo
> install and it seems to be ok so far.. )
> 
> I have a question, can Xen disallow promiscuous mode on guest NICs like
> VMware does?  I want to give my trusted web customers root but not
> access to subnet traffic.

The default config uses bridging in domain 0 to connect together all
of the guest NICs; in this case, guests will be able to see anything 
that is on the local network. 

If you want to enforce some 'privacy', you can configure things a 
little differently; 

  a. use a 'routed' model in which domain0 acts as the gateway; in 
     this case, no guest can see anything save point-to-point packets
     between itself and its opposite number in domain0. However it 
     does mean a bit more hassle setting up interfaces in domain0. 

  b. use ebtables -- this is an ethernet-level "firewall", which 
     should allow you to configure whatever you want. Should be 
     more flexible (i.e. can allow some guests to see all bcast 
     packets, others to see some, others to see none) and more 
     efficient. However I've never used it :-) 


Note that you can automate getting 'stuff' done on domain creation
by editing /etc/xen/xend-conf.sxp ; in particular you can tailor
which scripts are invoked when setting up networking, etc. 



cheers,

S.

     


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel

<Prev in Thread] Current Thread [Next in Thread>