WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] firewalls and Xen

from [Luke] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] firewalls and Xen
From: Luke <secureboot@xxxxxxxxx>
Date: Tue, 14 Feb 2006 10:05:10 -0500
Delivery-date: Tue, 14 Feb 2006 15:18:29 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
I'm trying to do firewalling on Xen, and am becoming a bit confused.
I want to do filtering based on the interface name for a number of rules. 

I'd like to say:
anything coming into dom0 from the internet is okay.

I tried:
anything coming in on physical interface peth0 with outgoing physical interface vif0.0 is okay. 

This seems to work.



The one that doesn't work:

I want to say -
anything from any domU to dom0 is NOT okay

I said:
if physical interface of incoming packets is not peth0 and destination physical interface is vif0.0 reject.
This doesn't seem to work, as the dom0 is no longer able to connect to things.
Is there a good discussion as to which interfaces packets go to/from in which cases? When do packets go through peth0? When do they only go through the vif devices? 

I'm using firehol to generate the IPTables scripts...

--
Luke

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Running Xen 2.0 for Counter Strike: Source, Mark Williamson
Next by Date:  Re: [Xen-users] might XenSpecificGlibc help me?, Anthony Liguori
Previous by Thread:  [Xen-users] Running Xen 2.0 for Counter Strike: Source, Bart van den Heuvel
Next by Thread:  Re: [Xen-users] firewalls and Xen, Daniel Goertzen
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy