WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Domain0 and firewalls

from [David Koski] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Domain0 and firewalls
From: David Koski <david@xxxxxxxxxxxxxxxx>
Date: Tue, 28 Feb 2006 20:59:26 -0800
Delivery-date: Wed, 01 Mar 2006 05:00:17 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <200602221633.58595.teastep@xxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <200602220848.07830.david@xxxxxxxxxxxxxxxx> <200602221349.24614.david@xxxxxxxxxxxxxxxx> <200602221633.58595.teastep@xxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.8.2 
On Wednesday 22 February 2006 04:33 pm, Tom Eastep wrote:
> On Wednesday 22 February 2006 13:49, David Koski wrote:
> 
> >
> > Thanks Tom.  Since I have eth0 and eth1 I have put this in zones:
> >
> > fw      firewall
> > xen0    ipv4
> > xen1    ipv4
> >
> > ..and this in interfaces:
> >
> > xen0    xenbr0      detect      routeback
> > xen1    xenbr1      detect      routeback
> >
> > Perhaps xen0 would be better named loc and xen1 named dmz.
> 
> Shorewall attaches absolutely no meaning to zone names so you can call them 
> 'foo' and 'bar' if you like; whatever has meaning to you.
> 
> >
> > Is that it?
> 
> Looks fine.

I must be missing something because shorewall blocks all access.

eth0=192.168.0.99
eth1=64.175.19.254

Here are my files:

interfaces:
loc xenbr0 detect routeback
net xenbr1 detect routeback,norfc1918

params:
LOG=ULOG

policy:
$FW all ACCEPT
net all DROP $LOG
loc all DROP $LOG
all all REJECT $LOG

ACCEPT loc $FW tcp 22
ACCEPT net:64.175.19.240/28 $FW tcp 22
ACCEPT net:64.175.19.34 $FW tcp 22
ACCEPT net:65.183.195.218 $FW tcp 22
ACCEPT loc $FW icmp - - - 5/s ec:10
ACCEPT net $FW icmp - - - 5/s ec:10

zones:
fw firewall # Domain 0
loc ipv4
net ipv4

Thanks in advance.

David Koski
david@xxxxxxxxxxxxxxxx



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] PCI Passthrough, Alex . Pearson
Next by Date:  [Xen-users] trouble in xen installation, sheetal stephen
Previous by Thread:  [Xen-users] PCI Passthrough, Alex . Pearson
Next by Thread:  Re: [Xen-users] Domain0 and firewalls, Tom Eastep
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy