Hi all. I''m trying to tie mac addresses to IP addresses to stop ip and mac spoofing on my xen host running debian5.0 amd64. I''ve been trying to follow http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600 The DomU''s network gets blocked both inward and outward. I''ve patched my vif-bridge with the intructions on that page any they seem to be applied correctly. The network is a simple 10.0.0.0 network with eth0(10.0.0.5) bridge with peth0 as the physical interface. There are the commands I issued at the start Paris:~# /sbin/ebtables -N eth0 Paris:~# /sbin/ebtables -A eth0 --log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP Paris:~# /sbin/ebtables -A INPUT --logical-in eth0 -j eth0 Paris:~# /sbin/ebtables -A FORWARD --logical-in eth0 -j eth0 Paris:~# /sbin/ebtables -P INPUT DROP Paris:~# /sbin/ebtables -P FORWARD DROP Paris:~# brctl show bridge name bridge id STP enabled interfaces eth0 8000.001b24efefac no peth0 Paris:~# ebtables --list Bridge table: filter Bridge chain: INPUT, entries: 2, policy: DROP --logical-in eth0 -j eth0 Bridge chain: FORWARD, entries: 2, policy: DROP --logical-in eth0 -j eth0 Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: eth0, entries: 1, policy: ACCEPT --log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP ##################################################################### Now i''ll start my DomU Using config file "/xen/dmarkey/intrepid/intrepid". Started domain intrepid Now the rules after i start the domain: Paris:~# ebtables --list Bridge table: filter Bridge chain: INPUT, entries: 2, policy: DROP --logical-in eth0 -j eth0 Bridge chain: FORWARD, entries: 2, policy: DROP --logical-in eth0 -j eth0 Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: eth0, entries: 2, policy: ACCEPT -i vif8.0 -j vif8.0 --log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP Bridge chain: vif8.0, entries: 3, policy: ACCEPT -p IPv4 -s 0:16:3e:c:8f:80 --ip-src 10.0.0.254 -j ACCEPT -p ARP -s 0:16:3e:c:8f:80 --arp-ip-src 10.0.0.254 --arp-mac-src 0:16:3e:c:8f:80 -j ACCEPT --log-level notice --log-prefix "vif8.0" --log-ip --log-arp -j DROP ################################################################################# Log: [19267.149206] eth0 IN=peth0 OUT=vif8.0 MAC source = 00:e0:81:71:9b:01 MAC dest = 00:16:3e:0c:8f:80 proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC=00:e0:81:71:9b:01 ARP IP SRC=10.0.0.6 ARP MAC DST=00:16:3e:0c:8f:80 ARP IP DST=10.0.0.254 Anyone any idea what i''m doing wrong here? Are those instructions out of date? Sorry im new to ebtables. Thanks. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi all. I''m trying to tie mac addresses to IP addresses to stop ip and mac spoofing on my xen host running debian5.0 amd64. I''ve been trying to follow http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600 <http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600> The DomU''s network gets blocked both inward and outward. I''ve patched my vif-bridge with the instructions on that page any they seem to be applied correctly. The network is a simple 10.0.0.0 network with eth0(10.0.0.5) bridge with peth0 as the physical interface. There are the commands I issued at the start Paris:~# /sbin/ebtables -N eth0 Paris:~# /sbin/ebtables -A eth0 --log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP Paris:~# /sbin/ebtables -A INPUT --logical-in eth0 -j eth0 Paris:~# /sbin/ebtables -A FORWARD --logical-in eth0 -j eth0 Paris:~# /sbin/ebtables -P INPUT DROP Paris:~# /sbin/ebtables -P FORWARD DROP Paris:~# brctl show bridge name bridge id STP enabled interfaces eth0 8000.001b24efefac no peth0 Paris:~# ebtables --list Bridge table: filter Bridge chain: INPUT, entries: 2, policy: DROP --logical-in eth0 -j eth0 Bridge chain: FORWARD, entries: 2, policy: DROP --logical-in eth0 -j eth0 Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: eth0, entries: 1, policy: ACCEPT --log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP ############################## ####################################### Now i''ll start my DomU Using config file "/xen/dmarkey/intrepid/intrepid". Started domain intrepid Now the rules after i start the domain: Paris:~# ebtables --list Bridge table: filter Bridge chain: INPUT, entries: 2, policy: DROP --logical-in eth0 -j eth0 Bridge chain: FORWARD, entries: 2, policy: DROP --logical-in eth0 -j eth0 Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: eth0, entries: 2, policy: ACCEPT -i vif8.0 -j vif8.0 --log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP Bridge chain: vif8.0, entries: 3, policy: ACCEPT -p IPv4 -s 0:16:3e:c:8f:80 --ip-src 10.0.0.254 -j ACCEPT -p ARP -s 0:16:3e:c:8f:80 --arp-ip-src 10.0.0.254 --arp-mac-src 0:16:3e:c:8f:80 -j ACCEPT --log-level notice --log-prefix "vif8.0" --log-ip --log-arp -j DROP ############################## ################################################### Log: [19267.149206] eth0 IN=peth0 OUT=vif8.0 MAC source = 00:e0:81:71:9b:01 MAC dest = 00:16:3e:0c:8f:80 proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC=00:e0:81:71:9b:01 ARP IP SRC=10.0.0.6 ARP MAC DST=00:16:3e:0c:8f:80 ARP IP DST=10.0.0.254 Anyone any idea what i''m doing wrong here? Are those instructions out of date? Sorry im new to ebtables. Thanks. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Tue, Mar 31, 2009 at 07:39:31PM +0100, David Markey wrote: Hi,> I''m trying to tie mac addresses to IP addresses to stop ip and mac > spoofing on my xen host running debian5.0 amd64. I''ve been trying to > follow http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600 > <http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600>That''s based on quite non-standard Xen network setup: - dom0 as a router, two interfaces eth0 (outside) and xen-br0 (private network) for Xen domUs - domU during startup joins xen-br0 - dom0 do NAT, firewalling and finally forwards domUs traffic by eth0 connection to Internet My old email in URL above lacks such information, sorry.> The DomU''s network gets blocked both inward and outward.I think that there is yet another problem with dom0 connectivity. Bridge eth0 in your setup is shared by Dom0 interface and DomUs vifs?> I''ve patched my vif-bridge with the instructions on that page any they > seem to be applied correctly. > > The network is a simple 10.0.0.0 network with eth0(10.0.0.5) bridge with > peth0 as the physical interface.Thats the difference that matters -- ebtables rules blocks dom0 arp, and any traffic from peth0.> There are the commands I issued at the startPlease try to extend that initial rules by permitting traffic from peth0. Untested, but should help.> Paris:~# /sbin/ebtables -N eth0 > Paris:~# /sbin/ebtables -A eth0 --log-level notice --log-prefix "eth0" > --log-ip --log-arp -j DROP/sbin/ebtables -A INPUT --logical-in peth0 -j ACCEPT> Paris:~# /sbin/ebtables -A INPUT --logical-in eth0 -j eth0/sbin/ebtables -A FORWARD --logical-in peth0 -j ACCEPT> Paris:~# /sbin/ebtables -A FORWARD --logical-in eth0 -j eth0 > Paris:~# /sbin/ebtables -P INPUT DROP > Paris:~# /sbin/ebtables -P FORWARD DROP> Log: > > [19267.149206] eth0 IN=peth0 OUT=vif8.0 MAC source = 00:e0:81:71:9b:01 > MAC dest = 00:16:3e:0c:8f:80 proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, > OPCODE=2 ARP MAC SRC=00:e0:81:71:9b:01 ARP IP SRC=10.0.0.6 ARP MAC > DST=00:16:3e:0c:8f:80 ARP IP DST=10.0.0.254Packet from interface peth0 (IN=peth0), there was no rules for that interface before. Kupson -- Great software without the knowledge to run it is pretty useless. (Linux Gazette #1) _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Thanks for the insight, Unfortunately i still cant get it to work. it seems to be a problem with /sbin/ebtables -P FORWARD DROP if i change this to /sbin/ebtables -P FORWARD then it starts working again but i can change ip address etc on the guest Does the vif-bridge patch still apply for this setup? Will i start from scratch and try to build up a set of rules for this situation? i''m sure this will fit into most xen networking situations as this setup is popular. Cheers. On Fri, Apr 3, 2009 at 10:30 AM, Rafał Kupka <rkupka+Listy.Xen@pronet.com.pl<rkupka%2BListy.Xen@pronet.com.pl>> wrote:> On Tue, Mar 31, 2009 at 07:39:31PM +0100, David Markey wrote: > Hi, > > > I''m trying to tie mac addresses to IP addresses to stop ip and mac > > spoofing on my xen host running debian5.0 amd64. I''ve been trying to > > follow http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600 > > <http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600> > > That''s based on quite non-standard Xen network setup: > - dom0 as a router, > two interfaces eth0 (outside) and xen-br0 (private network) for Xen > domUs > - domU during startup joins xen-br0 > - dom0 do NAT, firewalling and finally forwards domUs traffic by eth0 > connection to Internet > > My old email in URL above lacks such information, sorry. > > > The DomU''s network gets blocked both inward and outward. > > I think that there is yet another problem with dom0 connectivity. Bridge > eth0 in your setup is shared by Dom0 interface and DomUs vifs? > > > I''ve patched my vif-bridge with the instructions on that page any they > > seem to be applied correctly. > > > > The network is a simple 10.0.0.0 network with eth0(10.0.0.5) bridge with > > peth0 as the physical interface. > > Thats the difference that matters -- ebtables rules blocks dom0 arp, and > any traffic from peth0. > > > There are the commands I issued at the start > > Please try to extend that initial rules by permitting traffic from > peth0. Untested, but should help. > > > Paris:~# /sbin/ebtables -N eth0 > > Paris:~# /sbin/ebtables -A eth0 --log-level notice --log-prefix "eth0" > > --log-ip --log-arp -j DROP > > /sbin/ebtables -A INPUT --logical-in peth0 -j ACCEPT > > > Paris:~# /sbin/ebtables -A INPUT --logical-in eth0 -j eth0 > > /sbin/ebtables -A FORWARD --logical-in peth0 -j ACCEPT > > > Paris:~# /sbin/ebtables -A FORWARD --logical-in eth0 -j eth0 > > Paris:~# /sbin/ebtables -P INPUT DROP > > Paris:~# /sbin/ebtables -P FORWARD DROP > > > Log: > > > > [19267.149206] eth0 IN=peth0 OUT=vif8.0 MAC source = 00:e0:81:71:9b:01 > > MAC dest = 00:16:3e:0c:8f:80 proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, > > OPCODE=2 ARP MAC SRC=00:e0:81:71:9b:01 ARP IP SRC=10.0.0.6 ARP MAC > > DST=00:16:3e:0c:8f:80 ARP IP DST=10.0.0.254 > > Packet from interface peth0 (IN=peth0), there was no rules for that > interface before. > > Kupson > -- > Great software without the knowledge to run it is pretty useless. > (Linux Gazette #1) > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Fri, Apr 03, 2009 at 06:04:29PM +0100, David wrote: Hi,> Unfortunately i still cant get it to work. it seems to be a problem with > /sbin/ebtables -P FORWARD DROPCould you provide some ebtables logs?> if i change this to /sbin/ebtables -P FORWARD then it starts working again > but i can change ip address etc on the guestThere have to be DROP policy on the end of chain (or similar DROP rule). It''s preventing malicious traffic. All "good" network packets should hit some ACCEPT rule before reaching end of FORWARD/INPUT chain.> Does the vif-bridge patch still apply for this setup?Yes.> Will i start from scratch and try to build up a set of rules for this > situation? i''m sure this will fit into most xen networking situations as > this setup is popular.Sounds useful. Kupson -- Great software without the knowledge to run it is pretty useless. (Linux Gazette #1) _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Fri, Apr 3, 2009 at 6:22 PM, Rafał Kupka <rkupka+Listy.Xen@pronet.com.pl<rkupka%2BListy.Xen@pronet.com.pl>> wrote:> On Fri, Apr 03, 2009 at 06:04:29PM +0100, David wrote: > Hi, > > > Unfortunately i still cant get it to work. it seems to be a problem with > > /sbin/ebtables -P FORWARD DROP > > Could you provide some ebtables logs? > > > if i change this to /sbin/ebtables -P FORWARD then it starts working > again > > but i can change ip address etc on the guest > > There have to be DROP policy on the end of chain (or similar DROP rule). > It''s preventing malicious traffic. All "good" network packets should hit > some ACCEPT rule before reaching end of FORWARD/INPUT chain. > > > Does the vif-bridge patch still apply for this setup? > > Yes. > > > Will i start from scratch and try to build up a set of rules for this > > situation? i''m sure this will fit into most xen networking situations as > > this setup is popular. > > Sounds useful.Ha, well i don''t even know where to start. Any pointers? :)> > > Kupson > -- > Great software without the knowledge to run it is pretty useless. > (Linux Gazette #1) > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Dear All, I am seeking advises related to the Xen VM provisioning tools. I have gone through some of the tools kits like: Red Hat Virt-Manager, Open Nebula (Open Source), Eucalyptus, Nimbus project etc. But I am not sure which solution provides an efficient provisioning of VMs with respect to scalability (can be extended up to real large number of nodes), time efficient performance etc. Please advise me if somebody have used or deployed some of the tools above mentioned. I have used virt-manager, but it can only instantiate / shutdown, save / restore VM, no migration support I was able to discover with it. Thank in advance! Regards, Ata _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users