Alan & David, Thank you both for your comments.
I was pretty sure it couldn't be done but figured I ask. Actually, I am not trying to replace a firewall, I already have external boxes that firewall and filter using ACL. What I was trying to implement is something similar to what I have for my VM web servers but for Linux. Currently, on VM, if a web server sees someone trying to login using incorrect userid/password, it will prompt them to stop/get help, if they don't, via the VM TCPIP stack, the client is blocked. Kind of like a dynamic firewall rule that lasts for a predefined period of time. I wanted to implement the same for my linux guests but at the VM level so that I don't incur the overhead of running iptables on each guest. This way, if a guest sees repeated login attempts or sometimes you see hackers asking for web pages for common admin tools, then the guest would inform VM that controls the switch to block that external IP address for a specific time. Thanks. Aria. On Thu, 15 Nov 2007 06:48:23 -0500 David Boyes said: >> I am pretty sure this can't be done at the vswitch level but >> thought I ask if anyone has done something similar. I know I can >> block at the guest level but wanted to block all guests at the switch >> level. > >IP addresses are layer 3 entities. VSWITCH deals with layer 2 frames. >The most you could do with the VSWITCH is block the guest from attaching >to the VSWITCH in question via GRANTs.=20 > >You could put that guest on a different VLAN and use a Linux guest as a >router between the VLANs. You could then use iptables in the Linux guest >to limit where it can go and what it can connect to, but at the price of >doing packet inspection on the 390 CPU.=20 > >You could also do the above trick on an outboard box if your network is >set up in that form, but you still need to insert some kind of filtering >device. It's most efficient to do that outside the box, so that might be >your best bet -- ACLs in a router are very efficient.=20 >
