Linux doesn't write to the wire unless it has to (the address is not local).
Using lo is good to prevent the vserver from receiving traffic from the wire, thou...
Regards,
Nuno Silva
Lu�s Miguel Silva wrote:
Hello Nuno :o) When i mentioned using lo for "sniffing protection" i was thinking about protecting the vservers network data flow from other servers on the same network! :o) (not about sniffing the data beetween vservers/root server).Regards, Lu�s Miguel SilvaLu�s Miguel Silva wrote: [..snip..]Since i thought *somebody could sniff the data beetween vservers* i choosed to bind them into the lo interface! That way they can still communicate with each other and be "secure" ;o) [would somebody correct me on this if im wrong?]Ol� Lu�s! In the default vserver .conf, the vservers' root can't control the network interfaces, so vservers' root can't enable promisc mode and can't run a sniffer. If the vservers' root could enable sniffing (you added CAP_NET_* to the vservers' capabilities list, for instance) then he could do it in eth0 or lo... So, afaict, chbind'ing to eth0: or lo: it's the same in terms of "sniffer protection". Um abra�o, Nuno Silva+----------------------------------------- | Lu�s Miguel Silva | Network Administrator@ ISPGaya.pt | Rua Ant�nio Rodrigues da Rocha, 291/341 | Sto. Ov�dio � 4400-025 V. N. de Gaia | Portugal | T: +351 22 3745730/3/5 F: +351 22 3745738 | G: +351 93 6371253 E: [EMAIL PROTECTED] | H: http://lms.ispgaya.pt/ +-----------------------------------------
