|
|
|
|
|
|
|
|
|
|
xen-devel
[Xen-devel] Xen and Firewalling
Good evening all,
I would like to have a number of fairly autonomous domains on a xen
box and would like to give the admins the ability to maintain their
own firewalls. However netfilter's not compiled in to the domU
kernels:
# iptables -L -n
modprobe: Can't open dependencies file
/lib/modules/2.6.10-xenU/modules.dep (No such file or directory)
iptables v1.2.11: can't initialize iptables table `filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Is there a reason for this? Is simply doing a make menuconfig inside
linux-2.6.10-xenU and setting the requisite options sufficient?
According to linux-2.6.10-xen-sparse/arch/xen/configs/xenU_defconfig
there are some modules already so it would follow that there's no
problem compiling netfilter as modules? That being the case, why
aren't they compiled by default ? I see that netfilter is indeed
included in the default dom0 config, and can understand why someone
would want to put some basic restrictions on the domains (eg to ensure
that they are using only allocated IPs, for accounting and to enforce
any other administrative policies), but it would certainly be more
flexible to allow each domain to maintain its own security policy.
For this paticular installation the preferred setup would be not
allowing anything but ssh from certain IPs to dom0, and then have each
of the domains taking care of itself - they would be, for all intents
and purposes, standalone machines.
Sam
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Xen-devel] Xen and Firewalling,
Sam Johnston <=
|
|
|
|
|