openstack team mailing list archive

[William Herry <william.herry.china@xxxxxxxxx>]

I have Multi interface and my network is similar with your describe

so I just need to make all other service not listening on 0.0.0.0

Thank you Vish

William

On Fri, Jun 1, 2012 at 3:39 PM, Vishvananda Ishaya <vishvananda@xxxxxxxxx>wrote:

> Generally I handle this by using a different eth device (or vlan) for the
> instance network.  Then you make sure that no services on compute are
> listening on 0.0.0.0
>
> If you have only one interface for example, you can run three vlans across
> it
>
> eth0:10 -> public network <public ip address> for routing and floating ips
> and such. Nothing should listen here
> eth0:11 -> management network <192.168.0.0/24 range> Rabbit and mysql run
> on this network. All services (ssh, etc.) run here
> eth0:12 -> vm network <10.0.0.0/8 range> for vms. Nothing should listen
> here (except dnsmasq obviously)
>
> Vish
>
> On May 31, 2012, at 7:35 PM, William Herry wrote:
>
> We use FlatDHCP network mode, all thing work fine, instance has 10.0.0.x
> ip and 10.0.0.1 as gateway
> Our problem is that service(most time compute node) has little restrict
> from instance,
> which instance can see a lot opened port on service, I am thinking if this
> is a security problem
>
> restrict service on compute node not listen on 10.0.0.x ip is the way I
> can thing to solve this, any other ways?
>
> Thanks
>
> --
>
>
>
> William Herry
> ====================
> WilliamHerryChina@xxxxxxxxx
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>


-- 



William Herry
====================
WilliamHerryChina@xxxxxxxxx