|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge
On Wed, 28 Nov 2007, Andy Smith wrote: > On Tue, Nov 27, 2007 at 03:21:14PM +0100, RafaÅ? Kupka wrote: > > On Sun, Nov 25, 2007 at 07:50:23AM +0000, Andy Smith wrote: > > > I see your point. I hadn't thought of that problem before. I have > > > done some preliminary testing with ebtables and the following seems > > > to work: > > > > > > ebtables -t nat -A PREROUTING -i some-vif -s ! aa:00:00:6a:38:0c > > > --log-level debug --log-prefix 'SPOOF:' -j DROP > > > > > > Can you still find a way to break it after using this method? > > > > You can still impersonate other domUs IP addresses. Rooted domUs may > > send spoofed arp replies with MAC address that belong to them. > > Yes I already addressed that in my earlier reply in this thread. > The previous one was specifically about spoofing MAC address, which > I had not considered until Stefan brought it up. I still need to verify the rules when I have a quiet moment. The problem with DROP rules is always they need to be in a seperate chain... or sequence will matter. Stefan _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |