|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] promiscuous mode?
> Hi, I am just getting set up with Xen-devel, and am impressed! (I don't
> have a domain starting yet, but am booting into a modified Gentoo
> install and it seems to be ok so far.. )
>
> I have a question, can Xen disallow promiscuous mode on guest NICs like
> VMware does? I want to give my trusted web customers root but not
> access to subnet traffic.
The default config uses bridging in domain 0 to connect together all
of the guest NICs; in this case, guests will be able to see anything
that is on the local network.
If you want to enforce some 'privacy', you can configure things a
little differently;
a. use a 'routed' model in which domain0 acts as the gateway; in
this case, no guest can see anything save point-to-point packets
between itself and its opposite number in domain0. However it
does mean a bit more hassle setting up interfaces in domain0.
b. use ebtables -- this is an ethernet-level "firewall", which
should allow you to configure whatever you want. Should be
more flexible (i.e. can allow some guests to see all bcast
packets, others to see some, others to see none) and more
efficient. However I've never used it :-)
Note that you can automate getting 'stuff' done on domain creation
by editing /etc/xen/xend-conf.sxp ; in particular you can tailor
which scripts are invoked when setting up networking, etc.
cheers,
S.
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |