Changes between Version 3 and Version 7 of Ticket #35


Ignore:
Timestamp:
Dec 7, 2008, 8:53:44 PM (9 years ago)
Author:
quentin
Comment:

(fix the formatting of my comment, and make the description and summary accurate)

That isn't the correct threat model; RPF prevents us from forged source addresses. It doesn't protect from legitimate packets addressed to the backend network. To whit:

root@sctv-television-rx:~# ping 10.5.128.17
PING 10.5.128.17 (10.5.128.17) 56(84) bytes of data.
--- 10.5.128.17 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3009ms
root@aperture-science:~# tcpdump -i eth0 host sctv-television-rx.xvm
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:42:32.610776 IP XVM-65.MIT.EDU > aperture-science-internal: ICMP echo request, id 46180, seq 1, length 64
17:42:33.620334 IP XVM-65.MIT.EDU > aperture-science-internal: ICMP echo request, id 46180, seq 2, length 64
17:42:34.620373 IP XVM-65.MIT.EDU > aperture-science-internal: ICMP echo request, id 46180, seq 3, length 64
17:42:35.620387 IP XVM-65.MIT.EDU > aperture-science-internal: ICMP echo request, id 46180, seq 4, length 64

Guests should never be able to generate traffic on the backend network.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #35

    • Property Status changed from assigned to reopened
    • Property Summary changed from Set up iptables to not forward arbitrary packets to Set up iptables to not forward arbitrary packets to the backend
  • Ticket #35 – Description

    v3 v7  
    1 Currently the iptables rules don't REJECT or DROP anything; every packet a VM sends is ACCEPTed.  This means VMs can send packets from each other's IP addresses, and black-mesa will happily forward them.  We should change this.
     1Currently the iptables rules don't REJECT or DROP anything; every packet a VM sends is ACCEPTed.  This means VMs can send packets to our backend network, and black-mesa will happily forward them.  We should change this.