WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [SPAM] Re: [Xen-users] Re: number of ips

I'm a little puzzled by this. My starting point is that I can sometimes use technology to protect against foolishness but it's much harder to protect against malice.

I believe that the xen 3 limit is 3 vifs per VM. So if you create all three, with one bridge mode with an asugned ip and thee two private networks, what can user do thru ignorance or malice to break this? 1. They can reconfigure their "real IP" do a diff value on the subnet and presumably well see an error on both devices that are trying to use the VM 2. What happens if they create virtual devices based on their "real" device? Can they bind these to different IPs on the subnet?

Is there any reason to expect they would do this? Can you fire your users if they are malicious? This seems as much a human issue as a technical one.



On Apr 11, 2009, at 3:21 PM, Vu Pham <vu@xxxxxxxxxx> wrote:

Anand Gupta wrote:
Hi Eljas,
My dom0 basically has 2 networks, eth0 - 172.20.x.x and eth1 - 192.168.122 .x. Now presently the domU is bound on the bridge with eth0, and which where i am concerned right now. The same would be implemented in a scene with all real ips. I checked the firewall and there is no firewall enabled on dom0. Sorry but i am still confused on how and what you are proposing here.

The firewall file should be /etc/sysconfig/iptables. To se sure the firewall is on when you start your system, use "chkconfig iptables on". If your firewall has not been started, you can start it manually by "service iptables start", assuming you have CentOS or RHEL for dom0.

Vu

On Sat, Apr 11, 2009 at 6:34 PM, Eljas Alakulppi <Buzer@xxxxxxxxx <mailto:Buzer@xxxxxxxxx >> wrote:
   Like I said before, Xen doesn't add DROP rules by default, only
   ACCEPT (so you need to set policy to DROP. Tho, it does seem like
seting antispoof=on should take care of setting policy to DROP on at least Debian. Maybe your firewall script starts after Xen takes care of networking? I have never used Xen on CentOS, so I'm not too sure
   about it's specific details).
Regarding the fact that there is no IP specifed on the ACCEPT rule,
   what does your iptables commands in the vif script look like?
Oh, and I assume you want to remove state match from the first rule (otherwise the virtual servers will not allow any new connections) &
   remove the second rule (allows all traffic orginating from
   192.168.122.0/24 <http://192.168.122.0/24>. If there is no other
   match requirements, it will allow DomUs to spoof addresses from
192.168.122.0/24 <http://192.168.122.0/24>). The third FORWARD rule
   seems like everything gets ACCEPT'ed there. Also, please use
iptables-save, iptables -L doesn't include all of the details (like
   -i and -o).
   So, to wrap it up, the iptables-save should look something like:
   *filter
   ...
   :FORWARD DROP [0:0]
   ...
   -A FORWARD -d 192.168.122.0/24 <http://192.168.122.0/24> -j ACCEPT
   #Tho, this allows spoofing between two DomUs. You could try adding
-m physdev --physdev-in eth0 or whatever your external interface is
   ...
   And once you start, there should be one more rule on FORWARD chain
-A FORWARD -s 192.168.122.5/32 <http://192.168.122.5/32> -m physdev --physdev-in vif6.0 -j ACCEPT #or whatever the IP and vif happend to be
   -Eljas Alakulppi
   On Sat, 11 Apr 2009 14:47:45 +0300, Anand Gupta <xen.mails@xxxxxxxxx
   <mailto:xen.mails@xxxxxxxxx>> wrote:
       I tried to use the antispoof feature thinking it should do the
       trick.
       Modified /etc/xen/xend-config.sxp and modified it as follows:
       (network-script 'network-bridge antispoof=yes')
       Restarted, xen, and then checked the iptables --list. I don't
       see the DROP
       rules added.
       Here is iptables before start of domU
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *******************************************************************
       Chain INPUT (policy ACCEPT)
       target     prot opt source               destination
ACCEPT udp -- anywhere anywhere udp
       dpt:domain
ACCEPT tcp -- anywhere anywhere tcp
       dpt:domain
ACCEPT udp -- anywhere anywhere udp
       dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp
       dpt:bootps
       Chain FORWARD (policy ACCEPT)
       target     prot opt source               destination
       ACCEPT     all  --  anywhere             192.168.122.0/24
       <http://192.168.122.0/24>    state
       RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 <http:// 192.168.122.0/24> anywhere
       ACCEPT     all  --  anywhere             anywhere
REJECT all -- anywhere anywhere reject-with
       icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with
       icmp-port-unreachable
       Chain OUTPUT (policy ACCEPT)
       target     prot opt source               destination
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *******************************************************************
       Here it is after domU was started
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *******************************************************************
       Chain INPUT (policy ACCEPT)
       target     prot opt source               destination
ACCEPT udp -- anywhere anywhere udp
       dpt:domain
ACCEPT tcp -- anywhere anywhere tcp
       dpt:domain
ACCEPT udp -- anywhere anywhere udp
       dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp
       dpt:bootps
       Chain FORWARD (policy ACCEPT)
       target     prot opt source               destination
       ACCEPT     all  --  anywhere             192.168.122.0/24
       <http://192.168.122.0/24>    state
       RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 <http:// 192.168.122.0/24> anywhere
       ACCEPT     all  --  anywhere             anywhere
REJECT all -- anywhere anywhere reject-with
       icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with
       icmp-port-unreachable
ACCEPT all -- anywhere anywhere PHYSDEV match
       --physdev-in vif6.0
       Chain OUTPUT (policy ACCEPT)
       target     prot opt source               destination
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *******************************************************************
       The only difference between both the outputs is
ACCEPT all -- anywhere anywhere PHYSDEV match
       --physdev-in vif6.0
       Any ideas why this is happening ?
P.S. : If i am wrong in thinking that the above will resolve the
       problem of
users binding ips of their domU and using them, please correct me.
   --     Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
--
regards,
Anand Gupta
--- ---------------------------------------------------------------------
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users