similar to: XEN 4.0.1 bridged network - antispoof Option does not work

Hi folks, I am trying to get antispoofing running on xen3 (based on Debian Sarge). This is what I have done to enable it: 1. I have compiled a dom0 kernel with CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m 2. I made sure this module is loaded: lsmod gives xt_physdev (among others). 3a. I have changed the line "(network-script network-bridge)" to "(network-script network-bridge

Hi folks, I started testing the antispoof feature of xen stable (2.0.7). I am stuck with it. I have setup a standard bridged environment. I understood it like this: in domU config I set up the virtual NIC like vif = [ ''mac=ae:00:00:78:78:78, ip=192.168.0.100'' ] Then I configure /etc/network/interface of this domU to show the same IP address for eth0. After restarting

Hi, recently Ive installed Windows 2008 x64 HVM domain on Xen 4.0. On xen wiki is info: Support for Citrix WHQL-certified Windows PV drivers, included in XCP (Xen Cloud Platform). Xen Cloud Platform: So I installed them on Windows 2008 x64 domain and its not able to boot anymore: File: \windows\system32\Drivers\xevtchn.sys Status: 0xc0000428 Info: Windows cannot verify the digital

Hi, recently Ive installed Windows 2008 x64 HVM domain on Xen 4.0. On xen wiki is info: Support for Citrix WHQL-certified Windows PV drivers, included in XCP (Xen Cloud Platform). Xen Cloud Platform: So I installed them on Windows 2008 x64 domain and its not able to boot anymore: File: \windows\system32\Drivers\xevtchn.sys Status: 0xc0000428 Info: Windows cannot verify the digital

Package: xen-utils-common Version: 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 Severity: important Tags: patch security -- System Information: Debian Release: 9.4 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),

Package: xen-utils-common Version: 4.1.3-8 Severity: important When antispoof is set to 'on', the vif-common script does not create an ALLOW firewall rule for the emulated vif devices. This means that HVM nodes, unless a Xen PV driver is installed and running, cannot access the external network. The vif-common script creates an ACCEPT entry for the normal vif device (e.g. vif4.0) but not

Hey everyone, I have a question about vif-common.sh. I run multiple bridges attached on dummy interfaces, which allow me to put guests in seperate subnets (routed through the dom0). As you might expect I already have quite extensive iptables scripts to accomidate this kind of routing. I was just hoping someone on this list can confirm, that I understand what the iptables lines in vif-common.sh

I am planning to schedule a monthly XCP meeting for the community and am struggling with when to host the call. As we are a global community, there is no single optimal time to host the meeting. In an effort to support the most likely attendees, please send me your time zone if you plan to participate in these calls. I will track the most common time zones in an effort to maximize attendance. All

I am planning to schedule a monthly XCP meeting for the community and am struggling with when to host the call. As we are a global community, there is no single optimal time to host the meeting. In an effort to support the most likely attendees, please send me your time zone if you plan to participate in these calls. I will track the most common time zones in an effort to maximize attendance. All

When start a domU through xl create. The domU associated ip in the configuration file is not recorded in the xenstore. For this reason vif-common.sh antispoof scripts fails. *xl create * /usr/bin/xenstore-ls /local/domain/0/backend/vif/5/0 frontend = "/local/domain/5/device/vif/0" frontend-id = "5" online = "1" state = "4" script =

Hi, we are trying to secure our Xen boxes with IPtables on Dom0 but we always seem to get cut off and can only cure it be rebooting the box. Has anyone got a sucessful config they can share that secures the server with one nic? We are using Xen 3.0.4 thanks Ian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com

This patch adds an ACM hook into the network scripts (/etc/xen/scripts). It adds iptables rules that enforce mandatory access control on network packets exchanged between virtual interfaces. If ACM is active, this patch sets the default FORWARD policy in Dom0 to DROP and adds iptables ACCEPT rules between vifs that belong to domains that are permitted to share (determined by using the

Hello I have a Supermicro system with Intel XEON cpu with VT enabled. HVM, without Windows PV driver, works great. I am trying to use Windows PV driver from XCP 0.5, it is in the .iso file of XCP 0.5 Filename: windows-pvdrivers-xensetup.exe I have tried - XEN 3.4.3 (Linux 2.6.18.8) - XEN 4.0.1-rc6-pre (Linux 2.6.31.x and Linux 2.6.32.x from Jeremys GIT) and - XEN 4.0.1-rc6 (Linux 2.6.31.x and

Hello, When start a domU through xl create. The domU associated ip in the configuration file is not recorded in the xenstore. For this reason vif-common.sh antispoof scripts fails. *xl create * /usr/bin/xenstore-ls /local/domain/0/backend/vif/5/0 frontend = "/local/domain/5/device/vif/0" frontend-id = "5" online = "1" state = "4" script =

Hi all. What right way to protect ip/mac spoofing for guests withnount dhcp and other 1 ip per guest?

When I start xen dom0 I get that same dhcp address for eth0 and for xen-br0, dom0 can talk to the world. If I start each of my 3 domU''s mannually, each guest gets a xen-br0 vif with a dhcp address and all 3 can talk to the outside world and each other (my "flat network"). What I want is a tiered network with the first domU acting as a firewall with 3 nics vif = [

Hi, I''m setting up my first xen machine, and I''m trying to setup two Virtual Machines, each mapped to a physical adapter on a different network. The virtual machine mapped to xen-br0 and eth0 works fine. However, when I bring up a VM with this configuration file: ----------------- name = "test77" kernel = "/boot/vmlinuz-2.6.11.12-xenU" root =

Package: xen-utils-common Version: 3.4.2-2 Severity: important The network setup uses not longer supported iptables operations: | physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. -- Those who hate and fight must stop themselves -- otherwise it is not stopped. -- Spock, "Day of the Dove", stardate

http://bugzilla.netfilter.org/show_bug.cgi?id=814 Summary: rpfilter blocks broadcast packets Product: netfilter/iptables Version: unspecified Platform: x86_64 OS/Version: Gentoo Status: NEW Severity: normal Priority: P5 Component: ip_tables (kernel) AssignedTo: netfilter-buglog at

hi, we like to use our server to host many guest system. we use these guests as test for our product testing which can be installed trough pxe install (we reinstall these guest very often). unfortunately it''s not possible to use routed network with pxe boot. so we _need_ bridged setup kvm with config as described in: