[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] [SECURITY] preventing Hwaddr spoofing on bridge

On Wed, 28 Nov 2007, Andy Smith wrote:

> On Tue, Nov 27, 2007 at 03:21:14PM +0100, RafaÅ? Kupka wrote:
> > On Sun, Nov 25, 2007 at 07:50:23AM +0000, Andy Smith wrote:
> > > I see your point.  I hadn't thought of that problem before.  I have
> > > done some preliminary testing with ebtables and the following seems
> > > to work:
> > >
> > > ebtables -t nat -A PREROUTING -i some-vif -s ! aa:00:00:6a:38:0c 
> > > --log-level debug --log-prefix 'SPOOF:' -j DROP
> > >
> > > Can you still find a way to break it after using this method?
> >
> > You can still impersonate other domUs IP addresses. Rooted domUs may
> > send spoofed arp replies with MAC address that belong to them.
> Yes I already addressed that in my earlier reply in this thread.
> The previous one was specifically about spoofing MAC address, which
> I had not considered until Stefan brought it up.

I still need to verify the rules when I have a quiet moment. The problem
with DROP rules is always they need to be in a seperate chain... or
sequence will matter.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.