From: Nuno Silva (nuno.silva_at_vgertech.com)
Date: Mon 20 Jan 2003 - 16:34:48 GMT
Ok, the same applies:
Linux doesn't write to the wire unless it has to (the address is not local).
Using lo is good to prevent the vserver from receiving traffic from the
wire, thou...
Regards,
Nuno Silva
Luís Miguel Silva wrote:
> Hello Nuno :o)
>
> When i mentioned using lo for "sniffing protection" i was thinking about
> protecting the vservers network data flow from other servers on the same
> network! :o) (not about sniffing the data beetween vservers/root server).
>
> Regards,
> Luís Miguel Silva
>
>
>>
>>Luís Miguel Silva wrote:
>>
>>[..snip..]
>>
>>
>>>Since i thought *somebody could sniff the data beetween vservers* i
>>>choosed to bind them into the lo interface! That way they can still
>>>communicate with each other and be "secure" ;o) [would somebody
>>>correct me on this if im wrong?]
>>
>>Olá Luís!
>>
>>In the default vserver .conf, the vservers' root can't control the
>>network interfaces, so vservers' root can't enable promisc mode and
>>can't run a sniffer.
>>
>>If the vservers' root could enable sniffing (you added CAP_NET_* to the
>>vservers' capabilities list, for instance) then he could do it in eth0
>>or lo... So, afaict, chbind'ing to eth0: or lo: it's the same in terms
>>of "sniffer protection".
>>
>>Um abraço,
>>Nuno Silva
>
>
>
> +-----------------------------------------
> | Luís Miguel Silva
> | Network Administrator@ ISPGaya.pt
> | Rua António Rodrigues da Rocha, 291/341
> | Sto. Ovídio • 4400-025 V. N. de Gaia
> | Portugal
> | T: +351 22 3745730/3/5 F: +351 22 3745738
> | G: +351 93 6371253 E: lms_at_ispgaya.pt
> | H: http://lms.ispgaya.pt/
> +-----------------------------------------
>
>
>