WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Firewalls

from [Tom Eastep] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Firewalls
From: Tom Eastep <teastep@xxxxxxxxxxxxx>
Date: Fri, 7 Apr 2006 13:15:27 -0700
Cc: Jacob S <stormspotter@xxxxxxxxxxx>
Delivery-date: Fri, 07 Apr 2006 13:16:01 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20060407124455.173748ef@xxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20060407090406.2a25baee@xxxxxxxxxxxxxxxxx> <20060407124455.173748ef@xxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.9.1 
On Friday 07 April 2006 10:44, Jacob S wrote:

>
> So, now my question is, is it expected for network-bridge to be
> incompatible with iptables, or is this a bug?
>

Neither -- it is rather your lack of understanding of how bridges (like the 
one created by xend) and iptables/Netfilter interact.

When your kernel is compiled with CONFIG_BRIDGE_NETFILTER=y, traffic passing 
through bridges is processed by Netfilter. When xend starts, it creates a 
bridge (xenbr0) through which all traffic into and out of eth0 flows.
See the first part of http://www.shorewall.net/Xen.html for details.

So to make your existing script work in dom0, at the very least you need to 
add:

        $IPTABLES -A FORWARD -i xenbr0 -o xenbr0 -j ACCEPT

Configuring a secure firewall in dom0 that also controls traffic to/from the 
domUs is a rather complex task -- I find it easier to run my firewall in a 
domU (see http://www.shorewall.net/XenMyWay.html).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@xxxxxxxxxxxxx
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: pgp7t7vKDb4hN.pgp
Description: PGP signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] DomU boot EXT2-fs warning question, Simon
Next by Date:  [Xen-users] Re: compiled xen kernel, second processor and HT gone, Anand Gupta
Previous by Thread:  Re: [Xen-users] using physical NIC, Ryan
Next by Thread:  Re: [Xen-users] Firewalls, Christian Lyra
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy