WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Promiscuous mode

from [Felix Kuperjans] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Promiscuous mode
From: Felix Kuperjans <felix@xxxxxxxxxxxxxxxxxx>
Date: Mon, 14 Jun 2010 13:56:06 +0200
Delivery-date: Mon, 14 Jun 2010 05:01:44 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <BAY148-w651B8F99D0D35EDC599C60EFDC0@xxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <46C13AA90DB8844DAB79680243857F0F062072@xxxxxxxxxxxxxxxxxxx> <BAY148-w651B8F99D0D35EDC599C60EFDC0@xxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100613 Shredder/3.0.4
Hi Jonathan,

keep in mind that others may still use ARP spoofing attacks, because your rules do not filter ARP packages. This will not allow hosts to receive packages of other hosts in that scenario, but it could still deny the communication of other hosts completely.

You won't have any promiscious interfaces if you use routing, btw.

Regards,
Felix

Am 14.06.2010 13:19, schrieb Mike Viau:
> Mon, 14 Jun 2010 10:41:49 +0100 <jonnyt@xxxxxxxxxxx> wrote:
> Hi Everyone,

> In order to prevent DomU from entering promiscuous mode, is it just a matter of adding these 2 rules when the vif is created?

> # Accept packets leaving the bridge going to the domU only if
>   #  the destination IP for that packet matches an authorized IPv4
>   #  address for that domU.
>   iptables -A FORWARD -m physdev --physdev-out vif1.0 \
    --destination 216.146.46.43 -j ACCEPT

>   # Accept packets coming into the bridge leaving the physical
>   #  network interface peth0 only if the source IP for that packet
>   #  matches an authorized IPv4 address for that domU.  
>   iptables -A FORWARD -m physdev --physdev-in vif1.0 \
>     --physdev-out peth0 --source 216.146.46.43 -j ACCEPT
> I got the above from http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
> Does that provide total protection? What about if traffic was going from Dom1 to Dom3, could Dom2 snoop in?
> Thanks


I would think so, provided the rules above filter all traffic expect to/from a specific ip. Therefore if all domU are on separate ip networks the traffic should be on completely different networks too.

Look 'em in the eye: FREE Messenger video chat Chat Now! 

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Live migrate using DRBD, Mark Adams
Next by Date:  RE: [Xen-users] Promiscuous mode, Jonathan Tripathy
Previous by Thread:  RE: [Xen-users] Promiscuous mode, Mike Viau
Next by Thread:  RE: [Xen-users] Promiscuous mode, Jonathan Tripathy
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy