Xen users - Jun 2010 - Promiscuous mode

Hi Everyone,
 
In order to prevent DomU from entering promiscuous mode, is it just a matter of
adding these 2 rules when the vif is created?
 
# Accept packets leaving the bridge going to the domU only if
  #  the destination IP for that packet matches an authorized IPv4
  #  address for that domU.
  iptables -A FORWARD -m physdev --physdev-out vif1.0 \
    --destination 216.146.46.43 -j ACCEPT

  # Accept packets coming into the bridge leaving the physical
  #  network interface peth0 only if the source IP for that packet
  #  matches an authorized IPv4 address for that domU.  
  iptables -A FORWARD -m physdev --physdev-in vif1.0 \
    --physdev-out peth0 --source 216.146.46.43 -j ACCEPT
I got the above from
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
<http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/>
Does that provide total protection? What about if traffic was going from Dom1 to
Dom3, could Dom2 snoop in?
Thanks


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> Mon, 14 Jun 2010 10:41:49 +0100 <jonnyt@abpni.co.uk> wrote:






> Hi Everyone,
>  
> In order to prevent DomU from entering promiscuous 
mode, is it just a matter of adding these 2 rules when the vif is 
created?
>  
> # Accept packets leaving the bridge going to the domU only if
>   #  the destination IP for that packet matches an authorized IPv4
>   #  address for that domU.
>   iptables -A FORWARD -m physdev --physdev-out vif1.0 \
    --destination 216.146.46.43 -j ACCEPT
>   # Accept packets coming into the bridge leaving the physical
>   #  network interface peth0 only if the source IP for that packet
>   #  matches an authorized IPv4 address for that domU.  
>   iptables -A FORWARD -m physdev --physdev-in vif1.0 \
>     --physdev-out peth0 --source 216.146.46.43 -j ACCEPT> I got the
above from
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/>
Does that provide total protection? What about if traffic was going from Dom1 to
Dom3, could Dom2 snoop in?> Thanks

I would think so, provided the rules above filter all traffic expect to/from a
specific ip. Therefore if all domU are on separate ip networks the traffic
should be on completely different networks too.
 		 	   		  
_________________________________________________________________
Game on: Challenge friends to great games on Messenger
http://go.microsoft.com/?linkid=9734387

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Jonathan,

keep in mind that others may still use ARP spoofing attacks, because
your rules do not filter ARP packages. This will not allow hosts to
receive packages of other hosts in that scenario, but it could still
deny the communication of other hosts completely.

You won''t have any promiscious interfaces if you use routing, btw.

Regards,
Felix

Am 14.06.2010 13:19, schrieb Mike Viau:
> > Mon, 14 Jun 2010 10:41:49 +0100 <jonnyt@abpni.co.uk> wrote:
> > Hi Everyone,
> > 
> > In order to prevent DomU from entering promiscuous mode, is it just
> a matter of adding these 2 rules when the vif is created?
> > 
> > # Accept packets leaving the bridge going to the domU only if
> >   #  the destination IP for that packet matches an authorized IPv4
> >   #  address for that domU.
> >   iptables -A FORWARD -m physdev --physdev-out vif1.0 \
>     --destination 216.146.46.43 -j ACCEPT
>
> >   # Accept packets coming into the bridge leaving the physical
> >   #  network interface peth0 only if the source IP for that packet
> >   #  matches an authorized IPv4 address for that domU.  
> >   iptables -A FORWARD -m physdev --physdev-in vif1.0 \
> >     --physdev-out peth0 --source 216.146.46.43 -j ACCEPT
> > I got the above from
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
> > Does that provide total protection? What about if traffic was going
from Dom1 to Dom3, could Dom2 snoop in?
> > Thanks
>
>
> I would think so, provided the rules above filter all traffic expect
to/from a specific ip. Therefore if all domU are on separate ip networks the
traffic should be on completely different networks too.
>
> ------------------------------------------------------------------------
> Look ''em in the eye: FREE Messenger video chat Chat Now!
> <http://go.microsoft.com/?linkid=9734382>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Mike and Felix,
 
Felix: Would use those 2 rules below, along with these arptables rule stop ARP
spoofing?

 
I havn''t forgotton about trying your routing method by the way.
I''ve got a big list of stuff to try out :)
 # Default policy for packets in the FORWARD chain is DROP.
  arptables -P FORWARD DROP

  # Flush all existing rules in the FORWARD chain.
  arptables -F FORWARD
# Accept ARP requests coming from the domU into the bridge.
  arptables -A FORWARD --opcode Request --in-interface vif1.0 -j ACCEPT

  # Accept ARP requests coming out of the bridge into the domU.
  arptables -A FORWARD --opcode Request --out-interface vif1.0 -j ACCEPT

  # Accept ARP replies coming out of the bridge from the physical
  #  network into the domU.
  arptables -A FORWARD --opcode Reply --out-interface vif1.0 \
    --in-interface peth0 -j ACCEPT
Again, taken from
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
 
Mike: The DomUs will be on the same subnet
 
Thanks
 
Jonathan

________________________________

From: xen-users-bounces@lists.xensource.com on behalf of Felix Kuperjans
Sent: Mon 14/06/2010 12:56
To: xen-users@lists.xensource.com
Subject: Re: [Xen-users] Promiscuous mode


Hi Jonathan,

keep in mind that others may still use ARP spoofing attacks, because your rules
do not filter ARP packages. This will not allow hosts to receive packages of
other hosts in that scenario, but it could still deny the communication of other
hosts completely.

You won''t have any promiscious interfaces if you use routing, btw.

Regards,
Felix

Am 14.06.2010 13:19, schrieb Mike Viau: 

	> Mon, 14 Jun 2010 10:41:49 +0100 <jonnyt@abpni.co.uk>
<mailto:jonnyt@abpni.co.uk>  wrote:
	
	> Hi Everyone,
	>  
	
	> In order to prevent DomU from entering promiscuous mode, is it just a
matter of adding these 2 rules when the vif is created?
	>  
	
	> # Accept packets leaving the bridge going to the domU only if
	>   #  the destination IP for that packet matches an authorized IPv4
	>   #  address for that domU.
	>   iptables -A FORWARD -m physdev --physdev-out vif1.0 \
	    --destination 216.146.46.43 -j ACCEPT
	
	>   # Accept packets coming into the bridge leaving the physical
	>   #  network interface peth0 only if the source IP for that packet
	>   #  matches an authorized IPv4 address for that domU.  
	>   iptables -A FORWARD -m physdev --physdev-in vif1.0 \
	>     --physdev-out peth0 --source 216.146.46.43 -j ACCEPT
	> I got the above from
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
<http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/>
	> Does that provide total protection? What about if traffic was going from
Dom1 to Dom3, could Dom2 snoop in?
	> Thanks
	
	
	I would think so, provided the rules above filter all traffic expect to/from a
specific ip. Therefore if all domU are on separate ip networks the traffic
should be on completely different networks too.
	

________________________________

	Look ''em in the eye: FREE Messenger video chat Chat Now!
<http://go.microsoft.com/?linkid=9734382>
	
	_______________________________________________
	Xen-users mailing list
	Xen-users@lists.xensource.com
	http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Forgot to add this:
 
# Accept ARP replies coming from the domU into the bridge if they
  #  provide a valid and authorized IP address to MAC address pair.
  arptables -A FORWARD --opcode Reply --in-interface vif1.0 \
    --source-ip 216.146.46.43 --source-mac 00:16:3E:38:B4:AC -j ACCEPT

________________________________

From: xen-users-bounces@lists.xensource.com on behalf of Jonathan Tripathy
Sent: Mon 14/06/2010 13:12
To: Felix Kuperjans; xen-users@lists.xensource.com
Subject: RE: [Xen-users] Promiscuous mode


Hi Mike and Felix,
 
Felix: Would use those 2 rules below, along with these arptables rule stop ARP
spoofing?

 
I havn''t forgotton about trying your routing method by the way.
I''ve got a big list of stuff to try out :)
 # Default policy for packets in the FORWARD chain is DROP.
  arptables -P FORWARD DROP

  # Flush all existing rules in the FORWARD chain.
  arptables -F FORWARD
# Accept ARP requests coming from the domU into the bridge.
  arptables -A FORWARD --opcode Request --in-interface vif1.0 -j ACCEPT

  # Accept ARP requests coming out of the bridge into the domU.
  arptables -A FORWARD --opcode Request --out-interface vif1.0 -j ACCEPT

  # Accept ARP replies coming out of the bridge from the physical
  #  network into the domU.
  arptables -A FORWARD --opcode Reply --out-interface vif1.0 \
    --in-interface peth0 -j ACCEPT
Again, taken from
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
 
Mike: The DomUs will be on the same subnet
 
Thanks
 
Jonathan

________________________________

From: xen-users-bounces@lists.xensource.com on behalf of Felix Kuperjans
Sent: Mon 14/06/2010 12:56
To: xen-users@lists.xensource.com
Subject: Re: [Xen-users] Promiscuous mode


Hi Jonathan,

keep in mind that others may still use ARP spoofing attacks, because your rules
do not filter ARP packages. This will not allow hosts to receive packages of
other hosts in that scenario, but it could still deny the communication of other
hosts completely.

You won''t have any promiscious interfaces if you use routing, btw.

Regards,
Felix

Am 14.06.2010 13:19, schrieb Mike Viau: 

	> Mon, 14 Jun 2010 10:41:49 +0100 <jonnyt@abpni.co.uk>
<mailto:jonnyt@abpni.co.uk>  wrote:
	
	> Hi Everyone,
	>  
	
	> In order to prevent DomU from entering promiscuous mode, is it just a
matter of adding these 2 rules when the vif is created?
	>  
	
	> # Accept packets leaving the bridge going to the domU only if
	>   #  the destination IP for that packet matches an authorized IPv4
	>   #  address for that domU.
	>   iptables -A FORWARD -m physdev --physdev-out vif1.0 \
	    --destination 216.146.46.43 -j ACCEPT
	
	>   # Accept packets coming into the bridge leaving the physical
	>   #  network interface peth0 only if the source IP for that packet
	>   #  matches an authorized IPv4 address for that domU.  
	>   iptables -A FORWARD -m physdev --physdev-in vif1.0 \
	>     --physdev-out peth0 --source 216.146.46.43 -j ACCEPT
	> I got the above from
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
<http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/>
	> Does that provide total protection? What about if traffic was going from
Dom1 to Dom3, could Dom2 snoop in?
	> Thanks
	
	
	I would think so, provided the rules above filter all traffic expect to/from a
specific ip. Therefore if all domU are on separate ip networks the traffic
should be on completely different networks too.
	

________________________________

	Look ''em in the eye: FREE Messenger video chat Chat Now!
<http://go.microsoft.com/?linkid=9734382>
	
	_______________________________________________
	Xen-users mailing list
	Xen-users@lists.xensource.com
	http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users