|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] antispoof with Xen 3
Hi Mike, Mike Wright schrieb: As far as the antispoof rule, it adds a src IP to the physdev match. iptables ANDs those two conditions. With antispoof off any IP from that interface would be accepted; however, with antispoof on packets would only be accepted if they come from the interface AND and have the spec'd IP. That is what I would have expected, too. So I was astonished when I noticed that physdev matching is enabled anyway - whether you use antispoofing or not. Now I have looked a bit deeper into it: the standard vif-common.sh script uses physdev matching when adding an iptables rule for domU. What antispoofing does, is changing the default policy for FORWARD from ACCEPT to DROP (besided other things). But then I have not managed to activate antispoofing with Xen 3.0.2 - now I do not need it any more as I have a growing iptables script for these things. Would have been great if all these things had been available in the Xen wiki. Maybe I put it there when I am finished with what I aim at. Thanks for your patience, Mike. Dirk _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |