search for: antispoofing

Hi folks, I am trying to get antispoofing running on xen3 (based on Debian Sarge). This is what I have done to enable it: 1. I have compiled a dom0 kernel with CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m 2. I made sure this module is loaded: lsmod gives xt_physdev (among others). 3a. I have changed the line "(network-script network-bridge)...

Hello with XEN 3.4.x antispoof=yes works on a bridge setup. I am using this line in xend-config.sxp (network-script ''network-bridge antispoof=yes'') It creates this under IPTABLES FORWARD chain: ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in peth0 Under XEN 4.0.1 it is not working, it does not create a IPTABLES rule. Customers can

Hi folks, I started testing the antispoof feature of xen stable (2.0.7). I am stuck with it. I have setup a standard bridged environment. I understood it like this: in domU config I set up the virtual NIC like vif = [ ''mac=ae:00:00:78:78:78, ip=192.168.0.100'' ] Then I configure /etc/network/interface of this domU to show the same IP address for eth0. After restarting

...all I've already filed this issue with the Debian user-list and XEN project - they asked me to file it here as well. On XEN project you can find it here: https://lists.xenproject.org/archives/html/xen-users/2018-03/msg00043.html I have issues with the on domU startup automatically generated antispoofing rules by /etc/xen/scripts/vif-bridge and /etc/xen/scripts/vif-common.sh Both are part of the Debian xen-utils-common package (4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 installed on Debian 9.4). A domU test01 has two virtual interfaces - vif-test01-INT and vif-test01-TEST, both are connected to sep...

When I start xen dom0 I get that same dhcp address for eth0 and for xen-br0, dom0 can talk to the world. If I start each of my 3 domU''s mannually, each guest gets a xen-br0 vif with a dhcp address and all 3 can talk to the outside world and each other (my "flat network"). What I want is a tiered network with the first domU acting as a firewall with 3 nics vif = [

When start a domU through xl create. The domU associated ip in the configuration file is not recorded in the xenstore. For this reason vif-common.sh antispoof scripts fails. *xl create * /usr/bin/xenstore-ls /local/domain/0/backend/vif/5/0 frontend = "/local/domain/5/device/vif/0" frontend-id = "5" online = "1" state = "4" script =

Package: xen-utils-common Version: 4.1.3-8 Severity: important When antispoof is set to 'on', the vif-common script does not create an ALLOW firewall rule for the emulated vif devices. This means that HVM nodes, unless a Xen PV driver is installed and running, cannot access the external network. The vif-common script creates an ACCEPT entry for the normal vif device (e.g. vif4.0) but not

While cleaning up some other stuff in this area, I looked into a problem Sean Dague ran into - he was specifying br0 as the bridge name in xend-config.spx and it was still using the original default xenbr0. When the bridge name is specified in the network-bridge script, it is created correctly (ditto anti-spoofing). A recent patchset:

Hi all. What right way to protect ip/mac spoofing for guests withnount dhcp and other 1 ip per guest?

http://bugzilla.netfilter.org/show_bug.cgi?id=814 Summary: rpfilter blocks broadcast packets Product: netfilter/iptables Version: unspecified Platform: x86_64 OS/Version: Gentoo Status: NEW Severity: normal Priority: P5 Component: ip_tables (kernel) AssignedTo: netfilter-buglog at

https://bugzilla.netfilter.org/show_bug.cgi?id=814 Florian Westphal <fw at strlen.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fw at strlen.de --- Comment #1 from Florian Westphal <fw at strlen.de> 2013-04-12 10:24:14 CEST --- (In reply

Hello: I just gave 3 tries at compiling a xen kernel. I managed to get the networking in the host to work ok on the third try, unfortuately xend gives me the following errors in my xend.log and will not start. Any ideas? It fails to start with the following error ---------------------------------------------------- /usr/sbin/xend [root@localhost ~]# /usr/sbin/xend start Traceback (most recent

Processing commands for control at bugs.debian.org: > forcemerge 613540 698841 Bug #613540 [xen-utils-common] xen-utils-common: iptables rules missing for qemu tap interfaces Bug #698841 [xen-utils-common] xen-utils-common: HVM networking for ioemu devices is blocked when antispoof is on Severity set to 'normal' from 'important' Marked as fixed in versions xen/4.2.1-1. Marked

Hello, I''m still having problems with my ''upgrade'' to the FC4 xen packages. I have a domain with two virtual network interfaces, in two different subnets. For a domain with a single interface, the new networkd setup script works fine, but it does work (for me) with two interfaces. It used to work fine, and I used to set it up with simply by more or less blindly doing

Hello all, I would like to use two network interfaces. It is working but I notice that both bridges hace the same id. #brctl show bridge name bridge id STP enabled interfaces xenbr0 8000.feffffffffff no peth0 vif0.0 vif10.0 xenbr1

Here are three small patches that I have applied to the Fedora xen builds and I think are are suitable for xen-4.1.0. The first patch fixes an anomaly in /etc/xen/scripts/network-route. Currently this script contains netdev=${netdev:-eth${vifnum}} ie. netdev is set to eth${vifnum} by default. Unfortunately vifnum is not set anywhere in the xen code so the default is actually the broken

Hello, When start a domU through xl create. The domU associated ip in the configuration file is not recorded in the xenstore. For this reason vif-common.sh antispoof scripts fails. *xl create * /usr/bin/xenstore-ls /local/domain/0/backend/vif/5/0 frontend = "/local/domain/5/device/vif/0" frontend-id = "5" online = "1" state = "4" script =

...test malicious software, so my network filtering shouldn't > depend on the guests' IP addresses. I think I have to setup a new virtual > "virus" interface and configure iptables on the host for this interface. > Is this possible? You can use the network filters to setup antispoofing protection for both IP addresses and MAC addresses. In fact this is what the "clean-traffic" example filter libvirt provides will do for you. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- h...

I'm just one of those weirdos, who wanna make a powerfull queues shaper (not QoS but near) with ipfw2 on their freebsd 4.x-stable. My server is using frequently used configuration with NAT+FW ADSL router with one external ip on external network interface (we're using ADSL modem in bringe mode). I've configured single pipe, configured queues to use that pipe, add queues with different

I am planning to schedule a monthly XCP meeting for the community and am struggling with when to host the call. As we are a global community, there is no single optimal time to host the meeting. In an effort to support the most likely attendees, please send me your time zone if you plan to participate in these calls. I will track the most common time zones in an effort to maximize attendance. All