[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] promiscuous mode?

Thankyou both, that was very informative, I appreciate it!  I think I
can do exactly what I want (and more) with a combo of techniques.

~ John

On Fri, 13 Aug 2004 20:50:47 +0100
Ian Pratt <Ian.Pratt@xxxxxxxxxxxx> wrote:

> > The default config uses bridging in domain 0 to connect together all
> > of the guest NICs; in this case, guests will be able to see anything 
> > that is on the local network. 
> Although it's called a 'bridge', it's actually an L2 'switch' : a
> domain will typically only see traffic that's sent to its MAC or
> the broadcast/multicast MAC (once it's learnt where all the MAC
> addresses live). 
> As with a physical network, you'd still be vulnerable to ARP
> spoofing or forged src addr attacks that would enable an attacker
> to see packets it shouldn't. 
> > If you want to enforce some 'privacy', you can configure things a 
> > little differently; 
> > 
> >   a. use a 'routed' model in which domain0 acts as the gateway; in 
> >      this case, no guest can see anything save point-to-point packets
> >      between itself and its opposite number in domain0. However it 
> >      does mean a bit more hassle setting up interfaces in domain0. 
> > 
> >   b. use ebtables -- this is an ethernet-level "firewall", which 
> >      should allow you to configure whatever you want. Should be 
> >      more flexible (i.e. can allow some guests to see all bcast 
> >      packets, others to see some, others to see none) and more 
> >      efficient. However I've never used it :-) 
> We build the bridge-nf patch into our linux 2.4 kernel by
> default, so it's possible to use Linux's normal iptables commands
> to filter traffic to domains at the IP level even is you're using
> bridging rather than routing (bridge-nf is standard in
> 2.6). However, you'll need a relatively recent version of the
> iptables user-space package that supports the 'physdev' module to
> enable you to attach rules to specific VIFs.
> The vif-bridge script contains an example invocation that stops
> domains from spoofing there src IP address (though you have to be
> careful about DHCP requests and such like).
> ebtables is useful if you want to do purely L2-level (Ethernet)
> filtering.
> Ian
> [perhaps someone could stick this in a FAQ...]




Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.