search for: antispoof

Hi folks, I am trying to get antispoofing running on xen3 (based on Debian Sarge). This is what I have done to enable it: 1. I have compiled a dom0 kernel with CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m 2. I made sure this module is loaded: lsmod gives xt_physdev (among others). 3a. I have changed the line "(network-script network-brid...

Hello with XEN 3.4.x antispoof=yes works on a bridge setup. I am using this line in xend-config.sxp (network-script ''network-bridge antispoof=yes'') It creates this under IPTABLES FORWARD chain: ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in peth0 Under XEN 4.0.1 it i...

Hi folks, I started testing the antispoof feature of xen stable (2.0.7). I am stuck with it. I have setup a standard bridged environment. I understood it like this: in domU config I set up the virtual NIC like vif = [ ''mac=ae:00:00:78:78:78, ip=192.168.0.100'' ] Then I configure /etc/network/interface of this domU...

...all I've already filed this issue with the Debian user-list and XEN project - they asked me to file it here as well. On XEN project you can find it here: https://lists.xenproject.org/archives/html/xen-users/2018-03/msg00043.html I have issues with the on domU startup automatically generated antispoofing rules by /etc/xen/scripts/vif-bridge and /etc/xen/scripts/vif-common.sh Both are part of the Debian xen-utils-common package (4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 installed on Debian 9.4). A domU test01 has two virtual interfaces - vif-test01-INT and vif-test01-TEST, both are connected to...

...INT echo " " # # start the 3 guests xm create /etc/xen/xm1firewall xm create /etc/xen/xm2webserver xm create /etc/xen/xm3idsappdb # # /etc/xen/scripts run the network script 4 times to # associate the bridges with xend# cd /etc/xen/scripts # ./network start bridge=xen-br0 netdev=vif1.0 antispoof=yes # ./network start bridge=xen-br0 netdev=vif2.0 antispoof=yes # ./network start bridge=xen-br0 netdev=vif3.0 antispoof=yes ./network start bridge=xen-brDMZ netdev=vif1.1 antispoof=yes ./network start bridge=xen-brDMZ netdev=vif2.1 antispoof=yes ./network start bridge=xen-brINT netdev=vif1.2 anti...

When start a domU through xl create. The domU associated ip in the configuration file is not recorded in the xenstore. For this reason vif-common.sh antispoof scripts fails. *xl create * /usr/bin/xenstore-ls /local/domain/0/backend/vif/5/0 frontend = "/local/domain/5/device/vif/0" frontend-id = "5" online = "1" state = "4" script = "/etc/xen/scripts/vif-bridge" mac = "00:16:3e:56:df:85" bridge...

Package: xen-utils-common Version: 4.1.3-8 Severity: important When antispoof is set to 'on', the vif-common script does not create an ALLOW firewall rule for the emulated vif devices. This means that HVM nodes, unless a Xen PV driver is installed and running, cannot access the external network. The vif-common script creates an ACCEPT entry for the normal vif device...

While cleaning up some other stuff in this area, I looked into a problem Sean Dague ran into - he was specifying br0 as the bridge name in xend-config.spx and it was still using the original default xenbr0. When the bridge name is specified in the network-bridge script, it is created correctly (ditto anti-spoofing). A recent patchset:

Hi all. What right way to protect ip/mac spoofing for guests withnount dhcp and other 1 ip per guest?

...,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff inet 192.168.2.1/24 scope global br.qemu Here is rules: # iptables -A PREROUTING -t raw -i br.qemu -m rpfilter -j RETURN # iptables -A PREROUTING -t raw -j LOG --log-level 7 --log-prefix "antispoof: " Here is example of blocked packet (samba/netbios announce, I suppose): kern.debug: antispoof: IN=br.qemu OUT= MAC= SRC=192.168.2.1 DST=192.168.2.255 LEN=248 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=228 Also I notice `ping -b 192.168.2.255` is also blocked: kern.debu...

...oqueue state UP > link/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff > inet 192.168.2.1/24 scope global br.qemu > > Here is rules: > # iptables -A PREROUTING -t raw -i br.qemu -m rpfilter -j RETURN > # iptables -A PREROUTING -t raw -j LOG --log-level 7 --log-prefix "antispoof: " > > Here is example of blocked packet (samba/netbios announce, I suppose): > kern.debug: antispoof: IN=br.qemu OUT= MAC= SRC=192.168.2.1 DST=192.168.2.255 > LEN=248 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=228 > > Also I notice `ping -b 192.168.2.2...

...work-bridge] + export bridge=xen-br0 [2005-11-01 17:46:14 xend] ERROR (process:37) [network-bridge] + bridge=xen-br0 [2005-11-01 17:46:14 xend] ERROR (process:37) [network-bridge] + for arg in ''"$@"'' [2005-11-01 17:46:14 xend] ERROR (process:37) [network-bridge] + export antispoof=no [2005-11-01 17:46:14 xend] ERROR (process:37) [network-bridge] + antispoof=no [2005-11-01 17:46:14 xend] ERROR (process:37) [network-bridge] + bridge=xen-br0 [2005-11-01 17:46:14 xend] ERROR (process:37) [network-bridge] + netdev=eth0 [2005-11-01 17:46:14 xend] ERROR (process:37) [network-bridge...

Processing commands for control at bugs.debian.org: > forcemerge 613540 698841 Bug #613540 [xen-utils-common] xen-utils-common: iptables rules missing for qemu tap interfaces Bug #698841 [xen-utils-common] xen-utils-common: HVM networking for ioemu devices is blocked when antispoof is on Severity set to 'normal' from 'important' Marked as fixed in versions xen/4.2.1-1. Marked as found in versions xen-common/4.0.0-1. Added tag(s) fixed-upstream. Bug #613540 [xen-utils-common] xen-utils-common: iptables rules missing for qemu tap interfaces Marked as found in ve...

...or a domain with a single interface, the new networkd setup script works fine, but it does work (for me) with two interfaces. It used to work fine, and I used to set it up with simply by more or less blindly doing this: case ${OP} in start) $p/network start bridge=xen-br0 netdev=eth0 antispoof=no $p/network start bridge=xen-br1 netdev=eth1 antispoof=no ;; where $p/network was the original (xen 2) network setup script for a bridged configuration. The same thing does not work for the new scripts, since there are hardcoded devices in there: veth0, peth0, vif0.0. I tried...

...vif10.1 Is that normal? Could it possibly cause network performance loss? I am using this script to set them up. /etc/xen/scripts/my-network-bridge #!/bin/bash case "$1" in start) /etc/xen/scripts/network-bridge start bridge=xenbr0 netdev=eth0 vifnum=0 antispoof=no /etc/xen/scripts/network-bridge start bridge=xenbr1 netdev=eth1 vifnum=1 antispoof=no ;; stop) /etc/xen/scripts/network-bridge stop bridge=xenbr0 netdev=eth0 vifnum=0 /etc/xen/scripts/network-bridge stop bridge=xenbr1 netdev=eth1 vifnum=1 ;; restart) $0 stop $0 start ;; *) echo "usage: $0 {...

Here are three small patches that I have applied to the Fedora xen builds and I think are are suitable for xen-4.1.0. The first patch fixes an anomaly in /etc/xen/scripts/network-route. Currently this script contains netdev=${netdev:-eth${vifnum}} ie. netdev is set to eth${vifnum} by default. Unfortunately vifnum is not set anywhere in the xen code so the default is actually the broken

Hello, When start a domU through xl create. The domU associated ip in the configuration file is not recorded in the xenstore. For this reason vif-common.sh antispoof scripts fails. *xl create * /usr/bin/xenstore-ls /local/domain/0/backend/vif/5/0 frontend = "/local/domain/5/device/vif/0" frontend-id = "5" online = "1" state = "4" script = "/etc/xen/scripts/vif-bridge" mac = "00:16:3e:56:df:85" bridge...

...test malicious software, so my network filtering shouldn't > depend on the guests' IP addresses. I think I have to setup a new virtual > "virus" interface and configure iptables on the host for this interface. > Is this possible? You can use the network filters to setup antispoofing protection for both IP addresses and MAC addresses. In fact this is what the "clean-traffic" example filter libvirt provides will do for you. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-...

...ed configuration with NAT+FW ADSL router with one external ip on external network interface (we're using ADSL modem in bringe mode). I've configured single pipe, configured queues to use that pipe, add queues with different weights distinct on destination ports. <skipped rules for lo0, antispoof rules, couple of counts> //i'm doing nat with that rules: 03400 divert 8668 ip from { 192.168.132.0/24,192.168.10.0/24,172.16.1.0/24,10.10.10.0/24 or me } to any out via bfe0 03600 divert 8668 ip from any to me in via bfe0 <antispoof rules, icmp restricts, internal interface allow, allo...

I am planning to schedule a monthly XCP meeting for the community and am struggling with when to host the call. As we are a global community, there is no single optimal time to host the meeting. In an effort to support the most likely attendees, please send me your time zone if you plan to participate in these calls. I will track the most common time zones in an effort to maximize attendance. All