WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] antispoof with Xen 3

Hi Mike,

Mike Wright schrieb:

As far as the antispoof rule, it adds a src IP to the physdev match. iptables ANDs those two conditions. With antispoof off any IP from that interface would be accepted; however, with antispoof on packets would only be accepted if they come from the interface AND and have the spec'd IP.

That is what I would have expected, too. So I was astonished when I noticed that physdev matching is enabled anyway - whether you use antispoofing or not.

Now I have looked a bit deeper into it: the standard vif-common.sh script uses physdev matching when adding an iptables rule for domU. What antispoofing does, is changing the default policy for FORWARD from ACCEPT to DROP (besided other things). But then I have not managed to activate antispoofing with Xen 3.0.2 - now I do not need it any more as I have a growing iptables script for these things.

Would have been great if all these things had been available in the Xen wiki. Maybe I put it there when I am finished with what I aim at.

Thanks for your patience, Mike.


Dirk



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>