So, I was testing Xen's Auto-Spoof mechanisim on a rhel5.1 box last weekend. (I accidentally posted this to the RHELv4 list- this is just a repost to the correct people) I set it up the usual way, I edit /etc/xen/xend-config.sxp and add (network-script 'network-bridge antispoof=yes') and then I edit the config file for my DomU to add the following vif, vif = ['ip=192.168.1.47,bridge=xenbr0'] it puts reasonable looking rules in the FORWARD chain, but it doesn't actually do any blocking. The guest can still spoof at will. Running iptables -V shows that packets sent through the bridge do not hit the FORWARD chain at all. I note that /proc/sys/net/bridge/bridge-nf-call-iptables is false. echo 1 >/proc/sys/net/bridge/bridge-nf-call-iptables fixes the problem. packets are allowed or dropped as expected. this is a very important thing for those of us providing service to untrusted users. Perhaps this should be done by the RHEL version of /etc/xen/scripts/network-bridge, if antispoof is set to yes? for now, that's what I've done on my boxes. Could this be made default for future versions of RHEL?
thanks. -- Luke Crawford http://prgmr.com/~lsc _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
