> Hi Everyone,
>
> In order to prevent DomU from entering promiscuous
mode, is it just a matter of adding these 2 rules when the vif is
created?
>
> # Accept packets leaving the bridge going to the domU only if
> # the destination IP for that packet matches an authorized IPv4
> # address for that domU.
> iptables -A FORWARD -m physdev --physdev-out vif1.0 \
--destination 216.146.46.43 -j ACCEPT
> # Accept packets coming into the bridge leaving the physical
> # network interface peth0 only if the source IP for that packet
> # matches an authorized IPv4 address for that domU.
> iptables -A FORWARD -m physdev --physdev-in vif1.0 \
> --physdev-out peth0 --source 216.146.46.43 -j ACCEPT
> I got the above from http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
> Does that provide total protection? What about if traffic was going from Dom1 to Dom3, could Dom2 snoop in?
> Thanks
I would think so, provided the rules above filter all traffic expect to/from a specific ip. Therefore if all domU are on separate ip networks the traffic should be on completely different networks too.