[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [SPAM] Re: [Xen-users] Re: number of ips
I tried to use the antispoof feature thinking it should do the trick. Modified /etc/xen/xend-config.sxp and modified it as follows: (network-script 'network-bridge antispoof=yes')
Restarted, xen, and then checked the iptables --list. I don't see the DROP rules added. Here is iptables before start of domU ****************************************************************************************************************
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT)
target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT) target prot opt source destination ****************************************************************************************************************
Here it is after domU was started **************************************************************************************************************** Chain INPUT (policy ACCEPT)
target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT)
target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif6.0 Chain OUTPUT (policy ACCEPT) target prot opt source destination
**************************************************************************************************************** The only difference between both the outputs is
>ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif6.0 Any ideas why this is happening ? P.S. : If i am wrong in thinking that the above will resolve the problem of users binding ips of their domU and using them, please correct me.
-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |