Hi, I am just getting set up with Xen-devel, and am impressed! (I don''t have a domain starting yet, but am booting into a modified Gentoo install and it seems to be ok so far.. ) I have a question, can Xen disallow promiscuous mode on guest NICs like VMware does? I want to give my trusted web customers root but not access to subnet traffic. Thanks!! ~ John ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> Hi, I am just getting set up with Xen-devel, and am impressed! (I don''t > have a domain starting yet, but am booting into a modified Gentoo > install and it seems to be ok so far.. ) > > I have a question, can Xen disallow promiscuous mode on guest NICs like > VMware does? I want to give my trusted web customers root but not > access to subnet traffic.The default config uses bridging in domain 0 to connect together all of the guest NICs; in this case, guests will be able to see anything that is on the local network. If you want to enforce some ''privacy'', you can configure things a little differently; a. use a ''routed'' model in which domain0 acts as the gateway; in this case, no guest can see anything save point-to-point packets between itself and its opposite number in domain0. However it does mean a bit more hassle setting up interfaces in domain0. b. use ebtables -- this is an ethernet-level "firewall", which should allow you to configure whatever you want. Should be more flexible (i.e. can allow some guests to see all bcast packets, others to see some, others to see none) and more efficient. However I''ve never used it :-) Note that you can automate getting ''stuff'' done on domain creation by editing /etc/xen/xend-conf.sxp ; in particular you can tailor which scripts are invoked when setting up networking, etc. cheers, S. ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> The default config uses bridging in domain 0 to connect together all > of the guest NICs; in this case, guests will be able to see anything > that is on the local network.Although it''s called a ''bridge'', it''s actually an L2 ''switch'' : a domain will typically only see traffic that''s sent to its MAC or the broadcast/multicast MAC (once it''s learnt where all the MAC addresses live). As with a physical network, you''d still be vulnerable to ARP spoofing or forged src addr attacks that would enable an attacker to see packets it shouldn''t.> If you want to enforce some ''privacy'', you can configure things a > little differently; > > a. use a ''routed'' model in which domain0 acts as the gateway; in > this case, no guest can see anything save point-to-point packets > between itself and its opposite number in domain0. However it > does mean a bit more hassle setting up interfaces in domain0. > > b. use ebtables -- this is an ethernet-level "firewall", which > should allow you to configure whatever you want. Should be > more flexible (i.e. can allow some guests to see all bcast > packets, others to see some, others to see none) and more > efficient. However I''ve never used it :-)We build the bridge-nf patch into our linux 2.4 kernel by default, so it''s possible to use Linux''s normal iptables commands to filter traffic to domains at the IP level even is you''re using bridging rather than routing (bridge-nf is standard in 2.6). However, you''ll need a relatively recent version of the iptables user-space package that supports the ''physdev'' module to enable you to attach rules to specific VIFs. The vif-bridge script contains an example invocation that stops domains from spoofing there src IP address (though you have to be careful about DHCP requests and such like). ebtables is useful if you want to do purely L2-level (Ethernet) filtering. Ian [perhaps someone could stick this in a FAQ...]
Thankyou both, that was very informative, I appreciate it! I think I can do exactly what I want (and more) with a combo of techniques. ~ John On Fri, 13 Aug 2004 20:50:47 +0100 Ian Pratt <Ian.Pratt@cl.cam.ac.uk> wrote:> > The default config uses bridging in domain 0 to connect together all > > of the guest NICs; in this case, guests will be able to see anything > > that is on the local network. > > Although it''s called a ''bridge'', it''s actually an L2 ''switch'' : a > domain will typically only see traffic that''s sent to its MAC or > the broadcast/multicast MAC (once it''s learnt where all the MAC > addresses live). > > As with a physical network, you''d still be vulnerable to ARP > spoofing or forged src addr attacks that would enable an attacker > to see packets it shouldn''t. > > > If you want to enforce some ''privacy'', you can configure things a > > little differently; > > > > a. use a ''routed'' model in which domain0 acts as the gateway; in > > this case, no guest can see anything save point-to-point packets > > between itself and its opposite number in domain0. However it > > does mean a bit more hassle setting up interfaces in domain0. > > > > b. use ebtables -- this is an ethernet-level "firewall", which > > should allow you to configure whatever you want. Should be > > more flexible (i.e. can allow some guests to see all bcast > > packets, others to see some, others to see none) and more > > efficient. However I''ve never used it :-) > > We build the bridge-nf patch into our linux 2.4 kernel by > default, so it''s possible to use Linux''s normal iptables commands > to filter traffic to domains at the IP level even is you''re using > bridging rather than routing (bridge-nf is standard in > 2.6). However, you''ll need a relatively recent version of the > iptables user-space package that supports the ''physdev'' module to > enable you to attach rules to specific VIFs. > > The vif-bridge script contains an example invocation that stops > domains from spoofing there src IP address (though you have to be > careful about DHCP requests and such like). > > ebtables is useful if you want to do purely L2-level (Ethernet) > filtering. > > > Ian > > [perhaps someone could stick this in a FAQ...]--