william.herry.china at gmail
Jun 1, 2012, 12:58 AM
Post #3 of 3
(109 views)
Permalink
|
I have Multi interface and my network is similar with your describe
so I just need to make all other service not listening on 0.0.0.0
Thank you Vish
William
On Fri, Jun 1, 2012 at 3:39 PM, Vishvananda Ishaya <vishvananda [at] gmail>wrote:
> Generally I handle this by using a different eth device (or vlan) for the
> instance network. Then you make sure that no services on compute are
> listening on 0.0.0.0
>
> If you have only one interface for example, you can run three vlans across
> it
>
> eth0:10 -> public network <public ip address> for routing and floating ips
> and such. Nothing should listen here
> eth0:11 -> management network <192.168.0.0/24 range> Rabbit and mysql run
> on this network. All services (ssh, etc.) run here
> eth0:12 -> vm network <10.0.0.0/8 range> for vms. Nothing should listen
> here (except dnsmasq obviously)
>
> Vish
>
> On May 31, 2012, at 7:35 PM, William Herry wrote:
>
> We use FlatDHCP network mode, all thing work fine, instance has 10.0.0.x
> ip and 10.0.0.1 as gateway
> Our problem is that service(most time compute node) has little restrict
> from instance,
> which instance can see a lot opened port on service, I am thinking if this
> is a security problem
>
> restrict service on compute node not listen on 10.0.0.x ip is the way I
> can thing to solve this, any other ways?
>
> Thanks
>
> --
>
>
>
> William Herry
> ====================
> WilliamHerryChina [at] Gmail
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
--
William Herry
====================
WilliamHerryChina [at] Gmail
|
