similar to: [SECURITY] preventing Hwaddr spoofing on bridge

Hi, > Can you manually do on the xen interfaces what the scripts would? How about > doing it on some other interface configured in a similar way? Toying with the vif-route script, I might have found a workaround for this issue. If I disable the ifconfig and ip route commands from vif-route script, and bring up vif interface by hand later on, everything seems to work. In other works,

Hi all. What right way to protect ip/mac spoofing for guests withnount dhcp and other 1 ip per guest?

Here are some notes I have about Linux bridging. I''ll try to separate what I know I know from what I think I know. Let''s say I want to bridge eth0, eth1, and eth2 together, all with an IP Address of, say, 1.2.3.2. This is how to do it: echo "Setting up br0 to bridge eth0 with eth1 and eth2" /usr/sbin/brctl addbr br0 /usr/sbin/brctl addif br0 eth0

Hi, Thiago Oliveira <cpv.thiago@gmail.com> writes: > I would like to know the same! Currently I am using iptables to do it. I use ebtables. -Timo

Hello, I'm recently stumbled over the libvirt network filter capabilities and got pretty excited. Unfortunately I'm not able to get the the "clean-traffic" filterset working. I'm using a freshly installed Debian Stretch with libvirt, qemu and KVM. My config snippet looks as follows: sudo virsh edit <VM> [...] <interface type='bridge'> <mac

Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged over macvtap, and found no filtration applied except mac. 'virsh' just silently ignoring attributes 'filterref' and 'ip address' in different formats. No error on validate stage. Config examples: ... <interface type='direct'> <mac address='52:54:00:31:ae:1a'/>

https://bugzilla.netfilter.org/show_bug.cgi?id=1674 Bug ID: 1674 Summary: ebtables causing packet loss Product: ebtables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: critical Priority: P5 Component: ebtables-nft Assignee: pablo at netfilter.org

Package: xen-utils-3.0 Version: 3.0.2+hg9656-1 Severity: normal My setup is a basic one. No changes to the /etc/xen/* files. Network in a domU works perfectly fine. But, after shutdowning a domU, I can see the following lines in /var/log/debug: May 6 10:31:45 vaio logger: /etc/xen/scripts/vif-bridge: offline XENBUS_PATH=backend/vif/18/0 May 6 10:31:46 vaio logger: /etc/xen/scripts/vif-bridge:

Hi I am using libvirt (0.9.12) with openstack and xen. It looks like libvirt is not creating ebtables rules against arp spoofing etc. Here are my configs: VM definition: <domain type='xen'> <uuid>d49b777f-32f1-4093-ae47-a12efd0efd2c</uuid> <name>instance-00000168</name> <memory>2097152</memory> <os>

Hello everyone! Well i want to know, if there is a way to specify a physical nic (like eth0 or eth1) to a domU and how can i do it. The server has two nics, what i want to do is assign physical nic (eth0) to the dom0 and assign physical nic (eht1) to the domU. I appreciate your help. Regards Ivan ____________________________________________________________________________________ Be a

Hello. I''ve just started using Xen. My configuration is plain simple: I''ve got a Centos 5 Host with Xen and a single virtual machine which also uses Centos 5. Both of them have real IPs of the same real network. Now, I have to delegate the server administration to an external company which I don''t trust, so I''d want to filter any connection started by the

I have a new x3655 IBM and whenever the /etc/xen/scripts/network-bridge script starts, the ethernet would no longer work. This post isn''t about the cause, but the fix. I did a lot of tcpdumps and Googling, but I''ll spare you that. All they do is prove that yes, there is an issue. :) I tried Debian 4.0 i386/amd64 and Ubuntu 7.04 Server i386/amd64 and they all exhibit the

Hi I have been using Shorewall for a while now and find it very useful and easy to configure, I am learning iptables and having trouble getting the bridge to successfully work with squid, although I get it working with Shorewall straight away? Does anyone know the rules to successfully use squid with a transparent bridge? Internet – router - (bridge eth0 – eth1) – local lan auto lo iface lo

Here is a puzzle. I have a network with several servers. It''s a mess. It''s a /24 and pieces and servers are all over the place inside this /24 block, on both sides of the firewall. For example, the router at 1.2.3.1 is outside the firewall and many of the servers at 1.2.3.nnn/24 are behind the firewall. (Obviously, 1.2.3.nnn is a fudged network.) eth0 points outward to

Hi All, I''m trying to do some traffic shaping on an ethernet bridge. Currently, I have the following setup working: ifconfig eth0 down brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 brctl stp br0 off ifconfig eth0 0.0.0.0 up ifconfig eth1 0.0.0.0 up ifconfig br0 up This creates a bridge consisting of eth0 and eth1. So far so good. I now want to use tc to shape traffic

Hi, I'm relatively new to linux world.I'm just trying to setup a bridge firewall between a router and LAN. I've installed Red Hat Linux 9.0 - 2.4.20-8 from installation CDs and upgraded to 2.4.25 successfully. I've patched my kernel to support bridge firewall also loaded ebtables module,so far so good.Now I tried to create a bridge using the code given in the following link

Hey everyone, I have a question about vif-common.sh. I run multiple bridges attached on dummy interfaces, which allow me to put guests in seperate subnets (routed through the dom0). As you might expect I already have quite extensive iptables scripts to accomidate this kind of routing. I was just hoping someone on this list can confirm, that I understand what the iptables lines in vif-common.sh

Hello all, please tell me, how can I be sure that my Xen installation is built with Intel VT-d support? Something like xm info | grep -i KEY-REGULAR-EXPRESSION xm dmesg | grep -i KEY-REGULAR-EXPRESSION What line I should look for? And if it''s really built with it, how can I be sure, that Xen has successfully initialized VT-d hardware? I have read [1] and the lists archives

Trying to use the policy drop rule with the bridged firewall, when I removed the first line the transparent proxy works great? It seems a bit strange as from reading several articles on it I thought the following occurs. 1st line - if it doest match it gets dropped on the local filter input. 2nd line - redirects the traffic off the link layer into the network layer ready for line 3. 3rd line -

Hello list, I've posted here about this before, but I realise that it may have been assumed that the bridged vlans simply put a switch port in a blocking state and left my question ignored. So to recap. I have two tg3 interfaces named 'in' and 'out' and a bridge named 'br0' My vlan trunk is on the 'in' side of the network, and set as in.2, in.3 ... The