Package: xen-utils-common Version: 3.0.3-0-2 Severity: normal I'm not an expert in networking but I think that the current setup when using network-nat for domains is insecure.
I've configured : (network-script 'network-nat netdev=eth1') (vif-script vif-nat) So when only domain 0 is started, I get the following : # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination hortense:~# iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 0 -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination AFAICT, this means that NAT is active even though no vif interface was started yet, and is potentially insecure since the default FORWARD rule is accept. My assumption on the insecure setup is from reading http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html : Common mistakes: It appears that a common mistake with new IP Masq users is to make the first command simply the following: IPTABLES: --------- iptables -t nat -A POSTROUTING -j MASQUERADE Do NOT make your default policy MASQUERADING. Otherwise, someone can manipulate their routing tables to tunnel straight back through your gateway, using it to masquerade their OWN identity! Maybe I'm wrong or there's another interaction, but I think that the masquerade should be started only when the first domU is tarted, and not when xend is started. Btw, I cannot find a lot of docs on the nat scripts and I'm not completely sure how they should be used... so any hints on docs would be very much welcome too. Hope this helps, Best regards, -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.18-4-xen-686 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages xen-utils-common depends on: ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip ii udev 0.105-4 /dev/ and hotplug management daemo xen-utils-common recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
