|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] A security Question
> How about setting up filters. > When starting the VM, setup filters to block packets (other than required > broadcast/multicast ones) from the VM (set the filters on the VIF in Dom0) > that don't have the right MAC or IP ? I would also recommend that approach. To give you a starting point (How I'd approach it): Check out the vif-scripts in /etc/xen/scripts/ - They are typically executed when a new vif is added to your domU and take care of setting it up in the dom0. Then I'd try to get the MAC and IP within that script. For this, it looks like xenstore can be used (This is just a guess, I sadly do not use most features of xen and run a very simple setup). As stated in https://www.webhostingtalk.com/showthread.php?t=1078236 you can read the MAC with `xenstore-read "$XENBUS_PATH/mac"`, the IP should probably be available in the xenstore, too. After this, just setup rules for your filter. For iptables, maybe check http://tecadmin.net/mac-address-filtering-using-iptables/ for filtering MACs - IP filtering should be pretty clear. Remember to restrict the iptables rules to the specific vif, elsewise it may be possible that one domU spoofs packages of another domU. But I am not entirely sure wether this works for a bridged network (but it should). I hope this is a hint into the right direction. If anyone notices something wrong, I'd be glad to hear about it! Cheers CRT _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx https://lists.xen.org/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |