[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Anti-IP-spoofing blocks the wrong packets

To: xen-devel@xxxxxxxxxxxxxxxxxxxxx
From: Robin Green <greenrd@xxxxxxxxxxxxx>
Date: Tue, 15 Feb 2005 22:06:03 -0500 (EST)
Delivery-date: Wed, 16 Feb 2005 03:07:12 +0000
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>

With xen-unstable from 20050207, the anti-IP-spoofing measure does notwork. It blocks packets from domU from leaving the host. This is because

the following iptable was set up by the script on dom0:

Chain FORWARD (policy DROP)
target     prot opt source               destination

ACCEPT all -- anywhere anywhere PHYSDEV match--physdev-in eth0ACCEPT all -- anywhere anywhere PHYSDEV match--physdev-in eth0

(it is in there twice because I had the rule saved from last time, and thescript doesn't detect duplicate rules.)


Running:

 iptables -P FORWARD ACCEPT

solved the problem.

--
Robin


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel

Prev by Date: [Xen-devel] Status of save/migrate in xen-2.0.4?
Next by Date: [Xen-devel] RE: [patch ia64] remove duplicate uint64_t definitions
Previous by thread: [Xen-devel] Status of save/migrate in xen-2.0.4?
Next by thread: RE: [Xen-devel] Anti-IP-spoofing blocks the wrong packets
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.