Re: [Xen-users] Problem start iptables - udp broken

[Torsten Lehmann <tlehmann@xxxxxxxxxxxxx>]

On Tue, 28 Nov 2006, [ISO-8859-1] Abel Martín wrote:

> On 11/28/06, Bill Maidment <bill@xxxxxxxxxxx> wrote:
> > On Tue, 28 Nov 2006 10:22:53 +0100, Abel Martín wrote
> >
> > > I forgot to ask you. Are you trying to filter traffic for domU in
> > > dom0? If you are trying to do this with iptables and Xen bridged
> > > networking it has no sense, since a bridged device is a link layer
> > > device and iptables works above at network and trasport layer.
> >
> > I hope I'm not hijacking this thread, but what method is recommended to 
> > firewall the
> > xen0?  Is it illogical to run a bridged network if you want to firewall 
> > xen0?
> > Sorry for my ignorance. I'm still learning the ropes.
> > Cheers
> > Bill
> Well, you are right. You can use iptables in dom0 to secure domU
> (xen0). But I think it's easier to secure domU with an iptables
> ruleset inside domU, because setting a tightly secure domU inside is
> more complicated and implies the activation of IP forwarding, with is
> typical in a router/routed network environment.
> http://wiki.xensource.com/xenwiki/XenNetworking#head-602e26cd4a03b992f3938fe1bea03fa0fea0ed8b
>
> What I tried to say is that firewalling a domU with bridged networking
> via iptables in dom0 is weird to me. Usually you use bridged
> networking when domU is in the same network as dom0. Iptables usually
> filters traffic at network and transport layer, although you can set
> up restrictions for incoming and outgoing interfaces. You might want
> to use iptables physdev modules or ebtables to filter at link layer,
> but the last option is quite rare.
>
> I think this matter can be subject for an alternate debate: the best
> way to secure a domU. What do you think? I may have answered without
> much thinking. Maybe because I'm used to see iptables running in
> routers or hosts rather than in bridge devices, although I've seen
> them using physdev iptables module.
>
> Sorry if I confused this thread.
>


did I understand it correctly?
I can on Dom0 filter packets to Dom1, when iptables bind to Dom0:peth0
or Dom0:vif1.0 .



           Dom0  Dom1
           ----  ----

                  eth0
                   |
           eth0  vif1.0
             |     |
           -------------... Bridge
           |
         peth0
           |


if iptables run without "-i dev", default will bind to eth0.
It sees no packets from peth0 to Dom1:eth0.




On xenwiki/XenNetworking i found docu to configuration "bridging" and
"routing".
Where find I information too Pro and Contra?  (bridging vs. routing)



regards Torsten
Launoc




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users