[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] A security Question

> How about setting up filters.
> When starting the VM, setup filters to block packets (other than required 
> broadcast/multicast ones) from the VM (set the filters on the VIF in Dom0) 
> that don't have the right MAC or IP ?

I would also recommend that approach. To give you a starting point (How
I'd approach it):

Check out the vif-scripts in /etc/xen/scripts/ - They are typically
executed when a new vif is added to your domU and take care of setting
it up in the dom0.

Then I'd try to get the MAC and IP within that script. For this, it
looks like xenstore can be used (This is just a guess, I sadly do not
use most features of xen and run a very simple setup).
As stated in  https://www.webhostingtalk.com/showthread.php?t=1078236
you can read the MAC with `xenstore-read "$XENBUS_PATH/mac"`, the IP
should probably be available in the xenstore, too.

After this, just setup rules for your filter. For iptables, maybe check
http://tecadmin.net/mac-address-filtering-using-iptables/ for filtering
MACs - IP filtering should be pretty clear. Remember to restrict the
iptables rules to the specific vif, elsewise it may be possible that one
domU spoofs packages of another domU.
But I am not entirely sure wether this works for a bridged network (but
it should).

I hope this is a hint into the right direction. If anyone notices
something wrong, I'd be glad to hear about it!


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.