Hi Everyone, My Xen host has 3 bridge. 1 bridge has an ip, the other 2 do not. Am I correct in saying that since the 2 bridges don''t have an IP address, DomUs which are connected to that bridge cannot "hop" from one bridge to the other? It is important that traffic leaving the bridge (not destined for another DomU on the same bridge) goes through the firewall DomU. Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> -----Original Message----- > From: xen-users-bounces@lists.xensource.com [mailto:xen-users- > bounces@lists.xensource.com] On Behalf Of Jonathan Tripathy > Sent: Wednesday, July 14, 2010 5:22 PM > To: Xen-users@lists.xensource.com > Subject: [Xen-users] Bridge Hopping > > Hi Everyone, > > My Xen host has 3 bridge. 1 bridge has an ip, the other 2 do not. Am I > correct in saying that since the 2 bridges don''t have an IP address, > DomUs which are connected to that bridge cannot "hop" from one bridgeto> the other? It is important that traffic leaving the bridge (notdestined> for another DomU on the same bridge) goes through the firewall DomU.If any bridge device is connected to a physical interface (e.g. eth0), packets could also traverse out that interface into another bridge or switch on your network. It''s helpful for me to think of Linux bridge devices as virtual switches, and diagram them exactly the same way. Each interface (virtual or physical) plumbed into the bridge device functions like a switch port. -Jeff _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
________________________________ From: Jeff Sturm [mailto:jeff.sturm@eprize.com] Sent: Thu 15/07/2010 01:10 To: Jonathan Tripathy; Xen-users@lists.xensource.com Subject: RE: [Xen-users] Bridge Hopping> -----Original Message----- > From: xen-users-bounces@lists.xensource.com [mailto:xen-users- > bounces@lists.xensource.com] On Behalf Of Jonathan Tripathy > Sent: Wednesday, July 14, 2010 5:22 PM > To: Xen-users@lists.xensource.com > Subject: [Xen-users] Bridge Hopping > > Hi Everyone, > > My Xen host has 3 bridge. 1 bridge has an ip, the other 2 do not. Am I > correct in saying that since the 2 bridges don''t have an IP address, > DomUs which are connected to that bridge cannot "hop" from one bridgeto> the other? It is important that traffic leaving the bridge (notdestined> for another DomU on the same bridge) goes through the firewall DomU.If any bridge device is connected to a physical interface (e.g. eth0), packets could also traverse out that interface into another bridge or switch on your network. It''s helpful for me to think of Linux bridge devices as virtual switches, and diagram them exactly the same way. Each interface (virtual or physical) plumbed into the bridge device functions like a switch port. -Jeff --------------------------------------------------------------------------------------------------------------- Thanks for your reply. I understand what you are saying, however my bridges have no virtual and physical NICs which connect them to each other. My question was whether the Dom0 could "forward" packets from one bridge to the other (This is what I wish to prevent). The 2 bridges that don''t have an ip address assigned have untrusted clients connected to them Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, Jul 15, 2010 at 2:49 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> My question was whether the > Dom0 could "forward" packets from one bridge to the other (This is what I > wish to prevent). The 2 bridges that don''t have an ip address assigned have > untrusted clients connected to themUnder normal circumstances, no. Dom0 would forward traffic from one bridge to another if they have ip address, and dom0 is setup to function as a router. That is, dom0 would treat the bridge the same way as it treats other interface. So if it does not have an IP address on dom0 side, dom0 can''t forward traffic from one bridge to another. Note that I said "under normal circumstances". You should be able to make it behave otherwise using things like http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/ , or by creating some userland program that uses libpcap. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
________________________________ From: Fajar A. Nugraha [mailto:fajar@fajar.net] Sent: Thu 15/07/2010 09:06 To: Jonathan Tripathy Cc: Xen User-List Subject: Re: [Xen-users] Bridge Hopping On Thu, Jul 15, 2010 at 2:49 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> My question was whether the > Dom0 could "forward" packets from one bridge to the other (This is what I > wish to prevent). The 2 bridges that don''t have an ip address assigned have > untrusted clients connected to themUnder normal circumstances, no. Dom0 would forward traffic from one bridge to another if they have ip address, and dom0 is setup to function as a router. That is, dom0 would treat the bridge the same way as it treats other interface. So if it does not have an IP address on dom0 side, dom0 can''t forward traffic from one bridge to another. Note that I said "under normal circumstances". You should be able to make it behave otherwise using things like http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/ , or by creating some userland program that uses libpcap. -- Fajar ------------------------------------------------------------------------------------------------------ Thanks Fajar. Nope, I''m not doing anything like the above. I am doing filtering on the Dom0 though (using network-bridge and vif-bridge), however as you say, since the bridges have no ip address, Dom0 can''t route between the bridges and no traffic should "leek" from on ebridge to the other, correct? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users