WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] Promiscuous mode

from [Jonathan Tripathy] [Permanent Link][Original]
To: <Xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-users] Promiscuous mode
From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
Date: Mon, 14 Jun 2010 10:41:49 +0100
Cc:
Delivery-date: Mon, 14 Jun 2010 02:42:54 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcsLpc+8HZylOVc/SO+hoLILTUDeng==
Thread-topic: Promiscuous mode
Hi Everyone,
 
In order to prevent DomU from entering promiscuous mode, is it just a matter of adding these 2 rules when the vif is created?
 
# Accept packets leaving the bridge going to the domU only if
  #  the destination IP for that packet matches an authorized IPv4
  #  address for that domU.
  iptables -A FORWARD -m physdev --physdev-out vif1.0 \
    --destination 216.146.46.43 -j ACCEPT

  # Accept packets coming into the bridge leaving the physical
  #  network interface peth0 only if the source IP for that packet
  #  matches an authorized IPv4 address for that domU.  
  iptables -A FORWARD -m physdev --physdev-in vif1.0 \
    --physdev-out peth0 --source 216.146.46.43 -j ACCEPT
I got the above from http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
Does that provide total protection? What about if traffic was going from Dom1 to Dom3, could Dom2 snoop in?
Thanks
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] Error in xen 4.0.1-rc3-pre, Fantu
Next by Date:  Re: [Xen-users] RHEL6 beta vs. Xen, John Haxby
Previous by Thread:  [Xen-users] Error in xen 4.0.1-rc3-pre, Fantu
Next by Thread:  RE: [Xen-users] Promiscuous mode, Mike Viau
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy