[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] antispoof with Xen 3

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Mike Wright <xktnniuymlla@xxxxxxxxxxxxxx>
Date: Sun, 01 Oct 2006 09:48:42 -0700
Delivery-date: Sun, 01 Oct 2006 09:49:05 -0700
List-id: Xen user discussion <xen-users.lists.xensource.com>

Dirk H. Schulz wrote:

What I wonder about now is: what is the antispoof option for with xen 3?
If I do not use antispoof, the xen network script registeres a domU withthe FORWARD chain with physdev matching anyway, so there is no need fora toggleable antispoof button (and toggling it did not lead to anydifferent behaviour - at least I found none).


Many users isolate their dom0 and do not allow direct network
connectivity.  I'm guessing that's why the scripts do not automatically
add INPUT rules.

As far as the antispoof rule, it adds a src IP to the physdev match.
iptables ANDs those two conditions.  With antispoof off any IP from that
interface would be accepted; however, with antispoof on packets would
only be accepted if they come from the interface AND and have the spec'd IP.

Congratulations on your success.

:m)

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

References:
- Re: [Xen-users] antispoof with Xen 3
  - From: Dirk H. Schulz

Prev by Date: Re: [Xen-users] No network on DomU
Next by Date: [Xen-users] DomU & /tmp
Previous by thread: Re: [Xen-users] antispoof with Xen 3
Next by thread: Re: [Xen-users] antispoof with Xen 3
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.