WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Filtering traffic to Xen guest machines

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Filtering traffic to Xen guest machines
From: Andy Smith <andy@xxxxxxxxxxxxxx>
Date: Mon, 18 Feb 2008 17:46:47 +0000
Delivery-date: Mon, 18 Feb 2008 10:02:49 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <12346.10.160.5.68.1202427280.squirrel@xxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
References: <12346.10.160.5.68.1202427280.squirrel@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11)
Hi Javier,

On Fri, Feb 08, 2008 at 12:34:40AM +0100, javier.prieto.ext@xxxxxxxxxxxxxxxxxxx 
wrote:
> The point is that ebtables doesn't have an option to check for SYN headers, so
> I can't check if a package is trying to establish a new communication or not.

ebtables works at layer 2 and knows nothing of TCP header details
like SYN.

> I can do it with IPtables, but it doesn't work as I'm trying to filter traffic
> within a bridge.
> 
> Can anybody please give me some advice? Thanks in advance, and sorry for my
> bad English :)

iptables will see bridged traffic on the FORWARD table if
/proc/sys/net/bridge/bridge-nf-call-iptables is set to 1.  You can
match which interface on the bridge it comes rom / goes via with
--physdev.

Or you can use routed networking and use iptables in the more
usual fashion.

If sticking with a bridged network you'll also want to take steps to
prevent ARP poisoning and MAC spoofing, by either using appropriate
ebtables rules or using VLANs, etc.

Cheers,
Andy

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>