[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] traffic sniff problem
Hello, I suggest you to use *always* routing with VPS hosting. First reason: Routing only sends packages to the destination host, not to all hosts. Second: Routing is faster and easier to filter with iptables. Only disadvantage: You cant route broadcasts across multiple VMs, but you won't want that anyway, because this is only for LAN situation and your VPS may rather consider themselves as part of the internet, not part of a LAN. But this does mean that you need to change your whole network setup: - Switch the vif-script to a routing one, especially with firewalling and static mac addresses (to prevent ARP-based attacks) - Setup iptables in the Dom0 to disallow ARP-, MAC- or IP-Spoofing and to deny ICMP redirect packages (and probably some other ICMPs, too). You can secure a bridge, too, but this is harder and not as efficient as routing. Regards, Felix Kuperjans Am 18.06.2010 14:51, schrieb Jingyun He: > Hello, > I have xen node, it has a few VPSes, it used bridge network mode, and > we noticed that if one vps is restarted or a new vps is started, the > bridge will send all traffic to all interface during a few seconds, > and I did run a sniff program in one vps, it successful restrived some > password with these traffic. > > Any solution? > > Thanks. > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users > > _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |