WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Domain0 and firewalls

from [David Koski] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Domain0 and firewalls
From: David Koski <david@xxxxxxxxxxxxxxxx>
Date: Wed, 22 Feb 2006 13:49:24 -0800
Delivery-date: Wed, 22 Feb 2006 21:49:56 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <200602221314.52078.teastep@xxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <200602220848.07830.david@xxxxxxxxxxxxxxxx> <200602221314.52078.teastep@xxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.8.2 
On Wednesday 22 February 2006 01:14 pm, Tom Eastep wrote:

<snip>

> If you kernel is built with CONFIG_BRIDGE_NETFILTER=y (which most are), you 
> cannot totally ignore the bridge in Dom0 when configuring your firewall. 
> There are a couple of approaches you can take to modify a standard Shorewall 
> sample configuration to do what you want though:
> 
> a)
>       - Add ipv4 zone 'xen' to /etc/shorewall/zones 
>       - add the following entry to /etc/shorewall/interfaces:
> 
>               xen     xenbr0          routeback
> 
> b)
>       - Define explicit policies for all of your zone combinations
>       - change the all->all policy to ACCEPT (with no logging)
> 
> I prefer a). It is similar to what I do (see 
> http://www.shorewall.net/XenMyWay.html).

Thanks Tom.  Since I have eth0 and eth1 I have put this in zones:

fw      firewall
xen0    ipv4
xen1    ipv4

..and this in interfaces:

xen0    xenbr0      detect      routeback
xen1    xenbr1      detect      routeback

Perhaps xen0 would be better named loc and xen1 named dmz.

Is that it?

I have printed XenMyWay.html but it is going to take a while to absorb.

Regards,
David Koski
david.nospham@xxxxxxxxxxxxxxxx






_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Xen-users] help unmodified OS compatibility, Petersson, Mats
Next by Date:  [Xen-users] Dom0 CPU?, Shaun
Previous by Thread:  Re: [Xen-users] Domain0 and firewalls, Tom Eastep
Next by Thread:  Re: [Xen-users] Domain0 and firewalls, Tom Eastep
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy