similar to: [ronvdaal@zarathustra.linux666.com: Possible security issue with FreeBSD 5.4 jailing and BPF]

Hello, I have been using the bridging facilities provided by Linux (vanilla 2.6.7 SMP with UML skas host patch applied) to bridge a regular physical ethernet network (on interface eth0) with a virtual network (on interface tap0, cf uml_switch, http://user-mode-linux.sourceforge.net/networking.html). A couple of virtual machines (run using user-mode linux, a tool that enables you to run linux

Hi Everyone, In order to prevent DomU from entering promiscuous mode, is it just a matter of adding these 2 rules when the vif is created? # Accept packets leaving the bridge going to the domU only if # the destination IP for that packet matches an authorized IPv4 # address for that domU. iptables -A FORWARD -m physdev --physdev-out vif1.0 \ --destination 216.146.46.43 -j ACCEPT

Hi, Running: Freebsd 6.0 I am wondering if it is possible to have acces to loopback ip in a jail. I currently have a server running a jail. In the jail, there is a database and a web server. I would like to be able to have the database only bind on a loopback address and not on the jail's ip. Can this be done and how? Thanks -Cyril

Re hello list ! I''m using XEN 3.0.3 with 3 VM in bridge mode. I would like to use route mode to ''remove'' the promiscious mode. How can i do that? I have tried to comment (vif-script vif-bridge) and (network-script multi-bridge) and uncomment (vif-script vif-route) (network script-network-route) but it doesn''t work ! ANd what about (network nat) ! Do

Hi, I am a beginner of bridge. I have a problem of using Fedora Core 2 to make a simple bridge. Here is my setup: The bridge computer is installed with Fedore Core 2 (with the SE Linux patch). As I know that kernel 2.6.5 is already support bridging by default, so I didn't recompile the kernel. Then I installed bridge-utils-0.9.6-1.i386. And no additional configuration is made. After

Hi there, I'm trying to set up a man-in-the-middle scenario within a VMWare Workstation team, using brctl. What I want is the following: PC1 eth0 >---LAN-segment-1---< eth0 PCMITM eth1 >---LAN-segment-2---< eth0 PC2 Now I did the following on PCMITM (PC man in the middle): ifconfig eth0 down ifconfig eth1 down brctl addbr lnxbr0 brctl addif lnxbr0 eth0 brctl addif lnxbr0 eth1

Hello, I'm having problems getting my samba setup to work at a little LAN i partially maintain. I've been reading quite a lot about what I could think of being related to my problems/setup, and I've also googled my ass off :( So here I am, resorting to you guys in hope of help =] Sorry to say, but I don't have much experience, and therefore I'm a bit lost at the moment. Not

Add raw network backend option which uses a packet socket to provide raw networking access. Once the socket is opened it's bound to a provided host interface, such that packets received on the interface are delivered to the VM and packets sent by the VM are sent to the interface. This is functionally similar to the existing pcap network backend, with the same advantages and problems.

Add raw network backend option which uses a packet socket to provide raw networking access. Once the socket is opened it's bound to a provided host interface, such that packets received on the interface are delivered to the VM and packets sent by the VM are sent to the interface. This is functionally similar to the existing pcap network backend, with the same advantages and problems.

hello, we need to transfer files in a secure way with different partners and clients. at the momet we're using commercial ssh because we found it the only way to transfer files in a jailed environment and without offering a login shell. we'd like to use openssh but found only some patches and wrapper scripts but nothing "official" to do what we need. i could image (and read on

Folks, I've been tasked to find a solution that will create file-transfer-only accounts that are jailed or chrooted to a specific directory. (Not an uncommon task, I think.) Using the OpenSSH server and the OpenSSH scp client program, I can achieve the goal of having a file transfer only account jailed to a specified directory, by using the "scpjail" script (attached) as a

Hi, Whilst doing some QA work on XORP on my desktop, which has fxp0 and msk0, fxp0 got totally hosed. I was running PIM-SM and IGMPv2 router-mode on the box at the time. I wonder if this is related to the problems with fxp multicast transmission I saw back in April. I'm a bit concerned about this as fxp is still a very widespread and useful network chip. I am running

Hello, after upgrading my system from 7.1-RELEASE to recent RELENG_7 I noticed stalled network transfers in certain cases. I have an Intel PRO/100 ethernet adapter (card=0x00408086 chip=0x12298086 rev=0x0c). In general networking works fine. I can ping hosts, surf on websites and so on. But if I send large files (>1 MB) to my server the transfer stalls after a few kilobytes. This concerns FTP

Morning all ... I saw the previous thread, and ignorantly didn't follow it ... and now I can't seem to find it in the archives to go through it now that its hit me ... This morning, after 5 days of uptime, my server got hit with: Jun 6 09:52:19 pluto /kernel: fxp0: device timeout Jun 6 09:52:19 pluto /kernel: fxp0: SCB timeout: 0x60 0x0 0x0 0x800 Jun 6 09:52:19 pluto /kernel:

hello all- and a happy holiday to all you geeks that are in front of the crt! I found these log messages in my logs and I am not sure what some of them signify. Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221 to 200 packets/sec Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241 to 200 packets/sec Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode

I have just checked the Openbsd box on the if interface. fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 address: 00:02:55:30:54:28 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::202:55ff:fe30:5428%fxp0 prefixlen 64 scopeid 0x1 xl0:

[ -netters, please Cc me or security@ with replies. ] I'm running into trouble integrating dynamic racoon-based IPSec into a network with ipfw and natd. I need to be able to allow VPN access from any address from authenticated clients. I've got the dynamic VPN working, with racoon negotiating SAs and installing SPs, but the problem is that I can't tell whether an incoming packet on

I've spent the past four days or so updating machines here to 4.8/9-stable via cvsup, and have done a complete make buildworld/kernel on each machine (some SMP, some single processor). It seems something is broken with the latest fxp driver, on each machine (different mobos and hardware configs) heavy network traffic with fxp NICs causes timeouts and random kernel panics. First machine to

I've been using ipfw for a while to create a router with NAT and packet filtering, but have never combined it with stateful filtering, instead using things like "established" to accept incoming TCP packets which are part of a conversation initiated from the "inside". I'd like to move to using keep-state/check-state to get tighter filtering and also to allow outgoing

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm trying to run a QEMU VM on top of a FreeBSD 7.x server ... I've tried the exact same setup on my desktop, using 192.168.1.x and an fxp device, and it all works perfectly, but as soon as I do this on another machine on a public IP, I'm not getting any routing, I can't even ping it from the same machine ... My first thought was