I have Multi interface and my network is similar with your describe so I just need to make all other service not listening on 0.0.0.0
Thank you Vish William On Fri, Jun 1, 2012 at 3:39 PM, Vishvananda Ishaya <[email protected]>wrote: > Generally I handle this by using a different eth device (or vlan) for the > instance network. Then you make sure that no services on compute are > listening on 0.0.0.0 > > If you have only one interface for example, you can run three vlans across > it > > eth0:10 -> public network <public ip address> for routing and floating ips > and such. Nothing should listen here > eth0:11 -> management network <192.168.0.0/24 range> Rabbit and mysql run > on this network. All services (ssh, etc.) run here > eth0:12 -> vm network <10.0.0.0/8 range> for vms. Nothing should listen > here (except dnsmasq obviously) > > Vish > > On May 31, 2012, at 7:35 PM, William Herry wrote: > > We use FlatDHCP network mode, all thing work fine, instance has 10.0.0.x > ip and 10.0.0.1 as gateway > Our problem is that service(most time compute node) has little restrict > from instance, > which instance can see a lot opened port on service, I am thinking if this > is a security problem > > restrict service on compute node not listen on 10.0.0.x ip is the way I > can thing to solve this, any other ways? > > Thanks > > -- > > > > William Herry > ==================== > [email protected] > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > > > -- William Herry ==================== [email protected]
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
