All dom0/domUs are Centos 4.2 but the RHEL and Fedora firewalls are
almost identical in base configuration.
dom0 was rebuilt to contain all the firewall modules required for Centos
4.2. domU has no firewalling capability.
dom0 is on vif0.0 and domU here is on vif3.0
I suspect that if I move to static IP addresses this won't end up being
much of a problem, but it would be nice to add a couple more rules to
make dhcp work. I want to eventually have at the very least "basic"
Centos firewall available on my dom0 and domU.
I modified vif-common.sh to allow network traffic in the FORWARD chain
with the default RH Firewall:
--- /etc/xen/scripts/vif-common.sh.orig 2005-11-28 21:11:03.000000000 -0700
+++ /etc/xen/scripts/vif-common.sh 2005-11-28 21:09:58.000000000 -0700
@@ -61,11 +61,13 @@
else
local c="-D"
fi
+ -D FORWARD -j RH-Firewall-1-INPUT
iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT ||
[ "$c" == "-D" ] ||
log err \
"iptables $c FORWARD -m physdev --physdev-in $vif $@ -j ACCEPT
failed.
If you are using iptables, this may affect networking for guest domains."
+ -A FORWARD -j RH-Firewall-1-INPUT
}
The firewall rules end up being:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere PHYSDEV
match --physdev-in vif3.0
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
LOG all -- anywhere anywhere LOG level
warning
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
starting the dom0 dhclient results in this firewall log on dom0
----
# dhclient eth0
Nov 29 21:08:37 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=vif0.0
PHYSOUT=vif3.0 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10
PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308
Nov 29 21:08:37 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=vif0.0
PHYSOUT=peth0 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00
TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308
Nov 29 21:08:37 xen-dom0 kernel: IN=xenbr0 OUT= PHYSIN=vif0.0
PHYSOUT=peth0 MAC=ff:ff:ff:ff:ff:ff:00:01:02:be:88:3f:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP
SPT=68 DPT=67 LEN=308
starting the domU dhclient results in this firewall log on dom0
----
# dhclient eth0
Nov 29 21:11:45 xen-dom0 kernel: IN=xenbr0 OUT= PHYSIN=vif3.0
PHYSOUT=vif0.0 MAC=ff:ff:ff:ff:ff:ff:00:16:3e:0f:9d:70:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP
SPT=68 DPT=67 LEN=308
Nov 29 21:11:45 xen-dom0 kernel: IN=eth0 OUT= PHYSIN=vif3.0
PHYSOUT=vif0.0 MAC=ff:ff:ff:ff:ff:ff:00:16:3e:0f:9d:70:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP
SPT=68 DPT=67 LEN=308
Nov 29 21:11:47 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=peth0
PHYSOUT=vif3.0 SRC=192.168.2.2 DST=255.255.255.255 LEN=576 TOS=0x00
PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Nov 29 21:11:47 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=peth0
PHYSOUT=vif0.0 SRC=192.168.2.2 DST=255.255.255.255 LEN=576 TOS=0x00
PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Nov 29 21:11:47 xen-dom0 kernel: IN=xenbr0 OUT= PHYSIN=peth0
PHYSOUT=vif0.0 MAC=ff:ff:ff:ff:ff:ff:00:13:10:2d:93:b2:08:00
SRC=192.168.2.2 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64
ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
-Mike
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
| 
Home