WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] iptables in dom0

from [Peter Fokkinga] [Permanent Link][Original]
To: Sipos Ferenc <frank@xxxxxxx>
Subject: Re: [Xen-users] iptables in dom0
From: Peter Fokkinga <peter@xxxxxxxxxxx>
Date: Wed, 10 Jan 2007 23:02:16 +0100
Cc: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 10 Jan 2007 14:01:52 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <1168463971.4698.25.camel@localhost>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <1168463971.4698.25.camel@localhost>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Internet Messaging Program (IMP) H3 (4.1.3) 
Quoting Sipos Ferenc <frank@xxxxxxx>:

How come then, that a
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
rule leaves me with no outbound connection? The other end cleary states
that a high port in my dom0 is not accessible to it, which means my
firewall is not stateful, as it was initiated by me (dom0)?


I don't know whether it's a bug or by design (but I don't understand
why/how either), but I had the same experience.


Furthermore, if I do the --physdev filtering like most people do, when
shall I run the script from? Right after xend starts? Is there
preferable point in time to do it during dom0's boot?


Could you confirm it is a firewall problem? In other words, if you
execute `iptables -F`, does your networking work then?

I run my firewall script after starting xend. However, I noticed that
at that time eth0 is sometimes not "up" at that moment. I worked around
that problem by adding the following two lines to my firewall script
(before calling iptables):
  /sbin/ifdown eth0 2> /dev/null
  /sbin/ifup eth0

Cheers, Peter




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] hwclock problems in domU, Nico Kadel-Garcia
Next by Date:  [Xen-users] FC5 -- Xen 3.0.2 -- networking with dom0 and domU, dgreen
Previous by Thread:  [Xen-users] iptables in dom0, Sipos Ferenc
Next by Thread:  Re: [Xen-users] iptables in dom0, Mark Nellemann
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy