| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Domain0 and firewalls
On Wednesday 22 February 2006 08:48, David Koski wrote:
> I am trying to configure a firewall (shorewall) for Domain0 and
> found this document:
>
> http://www.shorewall.net/Xen.html
>
> I had tried to simply install shorewall as I have done many times
> before on non-Xen systems but could not get traffic through the
> interfaces (eth0, eth1).
>
> The document above seems to imply that both eth0 and xenbr0
> interfaces have to be configured. All I am interested in is
> controlling traffic to and from Domain0, not the domUs. I want
> shorewall installed on each domU. Anyone have experience with
> this? Do domUs have special considerations when installing
> iptables rules? Can I use iptables in Domain0 on eth0 like a
> non-Xen system?
If you kernel is built with CONFIG_BRIDGE_NETFILTER=y (which most are), you
cannot totally ignore the bridge in Dom0 when configuring your firewall.
There are a couple of approaches you can take to modify a standard Shorewall
sample configuration to do what you want though:
a)
- Add ipv4 zone 'xen' to /etc/shorewall/zones
- add the following entry to /etc/shorewall/interfaces:
xen xenbr0 routeback
b)
- Define explicit policies for all of your zone combinations
- change the all->all policy to ACCEPT (with no logging)
I prefer a). It is similar to what I do (see
http://www.shorewall.net/XenMyWay.html).
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@xxxxxxxxxxxxx
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home