|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-API] XCP 1.5 antifspoofing rules
Good day.I've start to looking to XCP rules, applied with locked mode (antispoofing). I looking really strage. Here output of ovs-ofctl dump-flows xenbr1 for single vm with following settings on vif:
locking-mode ( RW): locked
ipv4-allowed (SRW): 31.186.98.19
ipv6-allowed (SRW): a100::ff00
ovs-ofctl dump-flows xenbr0|sort -k 8 -r
NXST_FLOW reply (xid=0x4):
cookie=0x0, duration=296.668s, table=0, n_packets=0, n_bytes=0,
priority=8000,udp,in_port=3,dl_src=a6:9a:38:42:e0:ae,tp_dst=67
actions=NORMAL
cookie=0x0, duration=296.654s, table=0, n_packets=0, n_bytes=0,
priority=7000,arp,in_port=3,dl_src=a6:9a:38:42:e0:ae,nw_src=0.0.0.0,arp_sha=a6:9a:38:42:e0:ae
actions=NORMAL
cookie=0x0, duration=296.641s, table=0, n_packets=0, n_bytes=0,
priority=7000,arp,in_port=3,dl_src=a6:9a:38:42:e0:ae,nw_src=31.186.98.19,arp_sha=a6:9a:38:42:e0:ae
actions=NORMAL
cookie=0x0, duration=296.628s, table=0, n_packets=0, n_bytes=0,
priority=6000,ip,in_port=3,dl_src=a6:9a:38:42:e0:ae,nw_src=31.186.98.19
actions=NORMAL
cookie=0x0, duration=296.615s, table=0, n_packets=0, n_bytes=0,
priority=8000,icmp6,in_port=3,dl_src=a6:9a:38:42:e0:ae,ipv6_src=a100::ff00,icmp_type=135,nd_sll=a6:9a:38:42:e0:ae
actions=NORMAL
cookie=0x0, duration=296.602s, table=0, n_packets=0, n_bytes=0,
priority=8000,icmp6,in_port=3,dl_src=a6:9a:38:42:e0:ae,ipv6_src=a100::ff00,icmp_type=136,nd_target=a100::ff00
actions=NORMAL
cookie=0x0, duration=296.589s, table=0, n_packets=0, n_bytes=0,
priority=5000,icmp6,in_port=3,dl_src=a6:9a:38:42:e0:ae,ipv6_src=a100::ff00
actions=NORMAL
cookie=0x0, duration=296.576s, table=0, n_packets=0, n_bytes=0,
priority=5000,tcp6,in_port=3,dl_src=a6:9a:38:42:e0:ae,ipv6_src=a100::ff00 actions=NORMAL
cookie=0x0, duration=296.563s, table=0, n_packets=0, n_bytes=0,
priority=5000,udp6,in_port=3,dl_src=a6:9a:38:42:e0:ae,ipv6_src=a100::ff00 actions=NORMAL
cookie=0x0, duration=296.55s, table=0, n_packets=0, n_bytes=0,
priority=7000,icmp6,in_port=3,icmp_type=135 actions=drop
cookie=0x0, duration=296.537s, table=0, n_packets=0, n_bytes=0,
priority=7000,icmp6,in_port=3,icmp_type=136 actions=drop
cookie=0x0, duration=296. 524s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=134 actions=drop
cookie=0x0, duration=296.512s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=137 actions=drop
cookie=0x0, duration=296.499s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=146 actions=drop
cookie=0x0, duration=296.48s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=151 actions=drop
cookie=0x0, duration=296.489s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=147 actions=drop
cookie=0x0, duration=296.472s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=152 actions=drop
cookie=0x0, duration=296.463s, table=0, n_packets=0, n_bytes=0,
priority=6000,icmp6,in_port=3,icmp_type=153 actions=drop
cookie=0x0, duration=296.455s, table=0, n_packets=0, n_bytes=0,
priority=4000,in_port=3 actions=drop
cookie=0x0, duration=1130.774s, table=0, n_packets=6198,
n_bytes=998970, priority=0 actions=NORMAL
Set of questions: 1) Why those strange 'icmp_type=X actions=drop' before 'drop all'? 2) Why ipv6 allows only tcp and udp? All other protocols are banned?3) Enabled by default udp for DHCP is not really good, because sender can fake source address and send DHCP requests outside network, allowing to use virtual machine to attack victim with faked source IP address. _______________________________________________ Xen-api mailing list Xen-api@xxxxxxxxxxxxx http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |