Ligesh wrote:> Hi folks, > > I have many Windows DomUs running on a Xen node. I want to prevent these Windows Machines from discovering each other via Netbios. Can anyone help me with the relevant iptables rules. I tried simple blocking, but I only managed to block the dom0 <-> domU connection, and not the domU <-> domU or domU <-> outside-world. > > I just want to block all netbios connections on all virtual machines on a node. > > Thanks in advance.You could tweak the windows registry to not discover machines on the network. regedit: HKEY_LOCAL_USER SOFTWARE Microsoft Windows CurrentVersion Explorer Advnaced Add a DWORD, if not there, of NoNetCrawling and set the value to 1. Hope that helps, Jon _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi folks, I have many Windows DomUs running on a Xen node. I want to prevent these Windows Machines from discovering each other via Netbios. Can anyone help me with the relevant iptables rules. I tried simple blocking, but I only managed to block the dom0 <-> domU connection, and not the domU <-> domU or domU <-> outside-world. I just want to block all netbios connections on all virtual machines on a node. Thanks in advance. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
It has to be done outside of the domU. Modifying the domU is not an option at all. That''s a major effort if you have 30 domUs on a node already running, and anyway, the idea is that domUs are run by hostile users, and all security is implemented outside of it. Thanks. On Mon, Feb 11, 2008 at 02:43:32PM -0900, Jon Reynolds wrote:> You could tweak the windows registry to not discover machines on the > network. > > regedit: > > > HKEY_LOCAL_USER > SOFTWARE > Microsoft > Windows > CurrentVersion > Explorer > Advnaced > > Add a DWORD, if not there, of NoNetCrawling and set the value to 1. > > Hope that helps, > > Jon_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I added these rules on the dom0, but they didn''t have any effect whatsoever on the domUs. Shouldn''t the domU network devices appear as physical devices on the dom0, and then the INPUT/OUTPUT chain just work? Any help would be greatly appreciated. A google search for "xen block netbios" is bringing this particular thread as the first result, so I guess it is not something that''s common knowledge. iptables -A OUTPUT -p tcp --dport 135:139 -j DROP iptables -A OUTPUT -p udp --dport 135:139 -j DROP iptables -A INPUT -p tcp --dport 135:139 -j DROP iptables -A INPUT -p udp --dport 135:139 -j DROP iptables -A FORWARD -p tcp --dport 135:139 -j DROP iptables -A FORWARD -p udp --dport 135:139 -j DROP Thanks. On Tue, Feb 12, 2008 at 05:08:18PM +0530, Ligesh wrote:> > It has to be done outside of the domU. Modifying the domU is not an option at all. That''s a major effort if you have 30 domUs on a node already running, and anyway, the idea is that domUs are run by hostile users, and all security is implemented outside of it. >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Ligesh, On Wed, Feb 13, 2008 at 05:31:41PM +0530, Ligesh wrote:> I added these rules on the dom0, but they didn''t have any effect > whatsoever on the domUs. Shouldn''t the domU network devices appear > as physical devices on the dom0, and then the INPUT/OUTPUT chain > just work?You need to use --physdev since this is a bridge. You might also consider using routed networking instead. Cheers, Andy _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wed, Feb 13, 2008 at 06:59:45PM +0000, Andy Smith wrote:> You need to use --physdev since this is a bridge.Thanks a lot for the answer. The problem is that I am not seeing any packet at all going through in the forward chain. And iptables -L -v returns this: ---------------------------------- Chain INPUT (policy ACCEPT 2158K packets, 2210M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere PHYSDEV match --physdev-in vifxenv0 0 0 DROP all -- any any anywhere anywhere PHYSDEV match --physdev-in vifxenv0 Chain OUTPUT (policy ACCEPT 1508K packets, 590M bytes) pkts bytes target prot opt in out source destination -------------------------- I have tried completely blocking all traffic to and from the domU, but there isn''t any thing there to block. Also, in the case of HVM, the actual device seems to be tapN, rather than the device vifN.0. Even though the latter is present, the ifconfig shows its traffic as 0, and the traffic is actually going via the> You might also consider using routed networking instead.Routed Networking is not an option, since unlike in the case of linux, the windows domUs work via dhcp. and DHCP will not work on routed networking. Thanks again. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I would like to know when smp support will be added to gpl pv xennet driver to avoid bsod. A this time i can achieve around 900Mbit/s with one vcpu at 100% load (iperf with dom0 on xen3.3). If i launch the test with 2 vcpus or more >> bsod within a second a corrupted file system like james harper waning. Maybe for the binary 0.6.6 version ??? Ce message et toutes les pieces jointes sont etablis a l''attention exclusive de ses destinataires et sont strictement confidentiels. Pour en savoir plus cliquer ici This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. More information _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Ligesh, On Thu, Feb 14, 2008 at 09:30:56PM +0530, Ligesh wrote:> On Wed, Feb 13, 2008 at 06:59:45PM +0000, Andy Smith wrote: > > You need to use --physdev since this is a bridge. > > Thanks a lot for the answer. The problem is that I am not seeing any packet at all going through in the forward chain.It works for me, so our configurations must be different.> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- any any anywhere anywhere PHYSDEV match --physdev-in vifxenv0 > 0 0 DROP all -- any any anywhere anywhere PHYSDEV match --physdev-in vifxenv0What is vifxenv0? With a rule like: iptables -A FORWARD -m physdev --physdev-in peth0 --physdev-out v-foo -j domu_foo_in I see traffic from the outside world coming in to the domU on interface v-foo and make it jump to a chain called domu_foo_in. With: iptables -A FORWARD -m physdev --physdev-in v-foo --physdev-out peth0 -j domu_foo_out I see traffic from the domU on interface v-foo destined for outside world. There are some additional complications in matching dom0->domU and domU->domU traffic. What is your /proc/sys/net/bridge/bridge-nf-call-iptables set to? It should be 1. Cheers, Andy _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > I would like to know when smp support will be added to gpl pv xennet > driver to avoid bsod. A this time i can achieve around 900Mbit/s with > one vcpu at 100% load (iperf with dom0 on xen3.3). If i launch thetest> with 2 vcpus or more >> bsod within a second a corrupted file system > like james harper waning. Maybe for the binary 0.6.6 version ??? >I posted a link to a 0.7.0-pre2 a few days ago. That fixes the bug you are seeing. I''m just doing some final testing on the next version now. James _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users