WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Firewalls

from [Jacob S] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Firewalls
From: Jacob S <stormspotter@xxxxxxxxxxx>
Date: Mon, 10 Apr 2006 16:39:25 -0500
Delivery-date: Mon, 10 Apr 2006 14:40:09 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <200604071315.27382.teastep@xxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20060407090406.2a25baee@xxxxxxxxxxxxxxxxx> <20060407124455.173748ef@xxxxxxxxxxxxxxxxx> <200604071315.27382.teastep@xxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 7 Apr 2006 13:15:27 -0700
Tom Eastep <teastep@xxxxxxxxxxxxx> wrote:

> On Friday 07 April 2006 10:44, Jacob S wrote:
> 
> >
> > So, now my question is, is it expected for network-bridge to be
> > incompatible with iptables, or is this a bug?
> >
> 
> Neither -- it is rather your lack of understanding of how bridges
> (like the one created by xend) and iptables/Netfilter interact.
> 
> When your kernel is compiled with CONFIG_BRIDGE_NETFILTER=y, traffic
> passing through bridges is processed by Netfilter. When xend starts,
> it creates a bridge (xenbr0) through which all traffic into and out
> of eth0 flows. See the first part of
> http://www.shorewall.net/Xen.html for details.
> 
> So to make your existing script work in dom0, at the very least you
> need to add:
> 
>       $IPTABLES -A FORWARD -i xenbr0 -o xenbr0 -j ACCEPT
> 
> Configuring a secure firewall in dom0 that also controls traffic
> to/from the domUs is a rather complex task -- I find it easier to run
> my firewall in a domU (see http://www.shorewall.net/XenMyWay.html).

Thanks, Tom. That looks like exactly what I was looking for. Great
tutorials.

Jacob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEOtCQkpJ43hY3cTURAuwjAKC2C19WPmjuLSK5zVmT1xDpqJkyIACgvgcl
WVSbJFWGc6rkM5ijNsrsa7c=
=te3A
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] NetBSD kernel as dom0 wont boot, sp4rc
Next by Date:  Re: [Xen-users] Xen reboots, Tulasi
Previous by Thread:  Re: [Xen-users] Firewalls, Tom Eastep
Next by Thread:  Re: [Xen-users] Firewalls, Dick Davies
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy