Page 2 of 2
Re: ebtables ipv6 support
Posted: 2015/01/14 14:14:31
by dan223
Neither option would work for us
Re: ebtables ipv6 support
Posted: 2015/01/14 14:21:34
by Super Jamie
How about deploying another system in front of the EL5 system, where the other system acts as the firewall for the traffic you need to filter and lets everything else through?
The small firewall system could run EL6 or EL7, or even some targeted firewall/router distro which provides a Xen image like
OpenWrt.
Re: ebtables ipv6 support
Posted: 2015/01/14 14:26:27
by dan223
The main purpose of this currently is to limit certain IP's to certain VIF's to stop IP stealing as well as preventing ARP attacks, which is why ebtables is being used at the moment.
Re: ebtables ipv6 support
Posted: 2015/01/14 15:00:09
by Super Jamie
So you're firewalling the bridges in Dom0 and an EL5 DomU either has its traffic accepted or denied, but the DomU knows nothing of the firewall?
If so, can you replace the EL5 Dom0 with an EL6 Dom0? I'm barely literate in Xen terminology but I believe that's possible to do.
You're at the limit of my knowledge of Xen, and I can't think of anything else which would let you run IPv6 ebtables on EL5. Let us know what you come up with.