[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Isolating DomU / Networking


I want to secure/isolate all running DomU's (HVM) against each other,
So no DomU should see (IP-level, MAC/Broadcast level) the other DomU's
I found a patch for the creation of a DomU at
(near the bottom)

It seems that this did not work for me :-(
Regardless of the ebtables rules I could change my IP address and still
could do whatever I wanted in the network.

Therefore I started to dig deeper in the network-configuration which
gave me some more questions:

I did ping between 2 DomUs (Id 14 and 16) and watched the traffic with 
tcpdump -i $iface -n host $ip1 or host $ip2
and tried to find out which interfaces the traffic crosses.

[root@xen02 ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
xenbr1          8000.001b78054bee       no              peth1
Here is my result:

Iface           packed seen           expected
any             double                ~
xenbr1          yes                   yes
tap0            yes                   no
tap1            yes                   no
vif14.0         no                    no
vif16.0         no                    no
peth1           no                    yes

What is most confusing is that i
        a) see the packets on tap0 and tap1 
        b) but no packets on vif14.0 and vif16.0 ...

Can anyone explain why this is the case?

Best regards

DT Netsolution GmbH   -   Taläckerstr. 30    -    D-70437 Stuttgart
Geschäftsführer: Daniel Schwager, Stefan Hörz - HRB Stuttgart 19870
Tel: +49-711-849910-32, Fax: -932 - Mailto:daniel.schwager@xxxxxxxx

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.