WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Firewalls

On Friday 07 April 2006 10:44, Jacob S wrote:

>
> So, now my question is, is it expected for network-bridge to be
> incompatible with iptables, or is this a bug?
>

Neither -- it is rather your lack of understanding of how bridges (like the 
one created by xend) and iptables/Netfilter interact.

When your kernel is compiled with CONFIG_BRIDGE_NETFILTER=y, traffic passing 
through bridges is processed by Netfilter. When xend starts, it creates a 
bridge (xenbr0) through which all traffic into and out of eth0 flows.
See the first part of http://www.shorewall.net/Xen.html for details.

So to make your existing script work in dom0, at the very least you need to 
add:

        $IPTABLES -A FORWARD -i xenbr0 -o xenbr0 -j ACCEPT

Configuring a secure firewall in dom0 that also controls traffic to/from the 
domUs is a rather complex task -- I find it easier to run my firewall in a 
domU (see http://www.shorewall.net/XenMyWay.html).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@xxxxxxxxxxxxx
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: pgp7t7vKDb4hN.pgp
Description: PGP signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users