WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Firewalls

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 7 Apr 2006 13:15:27 -0700
Tom Eastep <teastep@xxxxxxxxxxxxx> wrote:

> On Friday 07 April 2006 10:44, Jacob S wrote:
> 
> >
> > So, now my question is, is it expected for network-bridge to be
> > incompatible with iptables, or is this a bug?
> >
> 
> Neither -- it is rather your lack of understanding of how bridges
> (like the one created by xend) and iptables/Netfilter interact.
> 
> When your kernel is compiled with CONFIG_BRIDGE_NETFILTER=y, traffic
> passing through bridges is processed by Netfilter. When xend starts,
> it creates a bridge (xenbr0) through which all traffic into and out
> of eth0 flows. See the first part of
> http://www.shorewall.net/Xen.html for details.
> 
> So to make your existing script work in dom0, at the very least you
> need to add:
> 
>       $IPTABLES -A FORWARD -i xenbr0 -o xenbr0 -j ACCEPT
> 
> Configuring a secure firewall in dom0 that also controls traffic
> to/from the domUs is a rather complex task -- I find it easier to run
> my firewall in a domU (see http://www.shorewall.net/XenMyWay.html).

Thanks, Tom. That looks like exactly what I was looking for. Great
tutorials.

Jacob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEOtCQkpJ43hY3cTURAuwjAKC2C19WPmjuLSK5zVmT1xDpqJkyIACgvgcl
WVSbJFWGc6rkM5ijNsrsa7c=
=te3A
-----END PGP SIGNATURE-----
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>