[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Promiscuous mode

  • To: <Xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
  • Date: Mon, 14 Jun 2010 10:41:49 +0100
  • Cc:
  • Delivery-date: Mon, 14 Jun 2010 02:42:54 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Thread-index: AcsLpc+8HZylOVc/SO+hoLILTUDeng==
  • Thread-topic: Promiscuous mode
Hi Everyone,
 
In order to prevent DomU from entering promiscuous mode, is it just a matter of adding these 2 rules when the vif is created?
 
# Accept packets leaving the bridge going to the domU only if
  #  the destination IP for that packet matches an authorized IPv4
  #  address for that domU.
  iptables -A FORWARD -m physdev --physdev-out vif1.0 \
    --destination 216.146.46.43 -j ACCEPT

  # Accept packets coming into the bridge leaving the physical
  #  network interface peth0 only if the source IP for that packet
  #  matches an authorized IPv4 address for that domU.  
  iptables -A FORWARD -m physdev --physdev-in vif1.0 \
    --physdev-out peth0 --source 216.146.46.43 -j ACCEPT
I got the above from http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
Does that provide total protection? What about if traffic was going from Dom1 to Dom3, could Dom2 snoop in?
Thanks
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.