Hurricane Electric's IPv6 Tunnel Broker Forums
May 22, 2013, 10:09:32 pm *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Welcome to Hurricane Electric's Tunnelbroker.net forums!
 
   Home   Help Search Login Register  
Hurricane Electric's IPv6 Tunnel Broker Forums > General IPv6 Topics > IPv6 on Linux & BSD & Mac > How to prevent nd spoofing by xen domU guests?
Pages: [1]
« previous next »
  Print  
Author Topic: How to prevent nd spoofing by xen domU guests?  (Read 728 times)
tdwebste
Newbie
*
Posts: 1


View Profile
« on: April 18, 2012, 11:26:11 am »

In this configuration untrusted guests are given full root access to their xen domU

I currently have arptable and ebtable rules in the dom0 to make arp spoofing from a domU a little more difficult.
domU# ifconfig
eth0      Link encap:Ethernet  HWaddr 01:02:03:04:05:06
             inet addr:123.123.123.123  .......................

dom0# arptables -L
-j ACCEPT -s nlnog.nmsrv.com --src-mac  01:02:03:04:05:06 --opcode Reply
-j ACCEPT -s nlnog.nmsrv.com --src-mac  01:02:03:04:05:06 --opcode Request

dom0# ebtables -L
-p IPv4 -o vif5.0 --ip-dst 123.123.123.123 -j ACCEPT
-p IPv4 -i vif5.0 --ip-src 123.123.123.123 -j ACCEPT
-p IPv4 -o vif5.0 -j DROP
-p IPv4 -i vif5.0 -j DROP

I am looking for recommendations how to protect against domU nd spoofing.

Logged
Pages: [1]
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!