WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] antispoof with Xen 3

from [Dirk H. Schulz] [Permanent Link][Original]
To: Mike Wright <mike@xxxxxxxxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] antispoof with Xen 3
From: "Dirk H. Schulz" <dirk.schulz@xxxxxxxxxxxxx>
Date: Mon, 02 Oct 2006 22:07:11 +0200
Delivery-date: Mon, 02 Oct 2006 13:08:04 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <451FF0B7.5080004@xxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <450FAB1C.7020305@xxxxxxxxxxxxx> <45102128.2050306@xxxxxxxxxxxxxx> <451D708A.80601@xxxxxxxxxxxxx> <451D778E.1030304@xxxxxxxxxxxxxx> <451FB7CE.8030305@xxxxxxxxxxxxx> <451FF0B7.5080004@xxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.7 (Macintosh/20050923) 
Hi Mike,

Mike Wright schrieb:
As far as the antispoof rule, it adds a src IP to the physdev match. iptables ANDs those two conditions. With antispoof off any IP from that interface would be accepted; however, with antispoof on packets would only be accepted if they come from the interface AND and have the spec'd IP.
That is what I would have expected, too. So I was astonished when I noticed that physdev matching is enabled anyway - whether you use antispoofing or not.
Now I have looked a bit deeper into it: the standard vif-common.sh script uses physdev matching when adding an iptables rule for domU. What antispoofing does, is changing the default policy for FORWARD from ACCEPT to DROP (besided other things). But then I have not managed to activate antispoofing with Xen 3.0.2 - now I do not need it any more as I have a growing iptables script for these things.
Would have been great if all these things had been available in the Xen wiki. Maybe I put it there when I am finished with what I aim at. 

Thanks for your patience, Mike.


Dirk



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] adp94xx, Jeff Lane
Next by Date:  [Xen-users] AMD's VT for chipsets, Mark Weinem
Previous by Thread:  Re: [Xen-users] antispoof with Xen 3, Mike Wright
Next by Thread:  [Xen-users] DomU & /tmp, Parissa Heidari
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy