WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Xen and Firewalling

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] Xen and Firewalling
From: Sam Johnston <samjie@xxxxxxxxx>
Date: Mon, 18 Apr 2005 00:30:23 +0100
Delivery-date: Sun, 17 Apr 2005 23:30:16 +0000
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=XnxbikLlp/qgLmRJ3DjZW+Q+ieazQg4vVgg2CNfUMCwonlflxU5866hSc/CSn5FUvUPr7NMxr5hCjTnr/q54cLN8oWDx2JsGkBvnFvvTzx+Tk5RqYYp98SCi8XCD6x+UV/GEvyPStAhPelR7UZX5OXEGO9sEIwvmvQ5cWpo8oNQ=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Reply-to: Sam Johnston <samjie@xxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Good evening all,

I would like to have a number of fairly autonomous domains on a xen
box and would like to give the admins the ability to maintain their
own firewalls. However netfilter's not compiled in to the domU
kernels:

# iptables -L -n
modprobe: Can't open dependencies file
/lib/modules/2.6.10-xenU/modules.dep (No such file or directory)
iptables v1.2.11: can't initialize iptables table `filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Is there a reason for this? Is simply doing a make menuconfig inside
linux-2.6.10-xenU and setting the requisite options sufficient?
According to linux-2.6.10-xen-sparse/arch/xen/configs/xenU_defconfig
there are some modules already so it would follow that there's no
problem compiling netfilter as modules? That being the case, why
aren't they compiled by default ? I see that netfilter is indeed
included in the default dom0 config, and can understand why someone
would want to put some basic restrictions on the domains (eg to ensure
that they are using only allocated IPs, for accounting and to enforce
any other administrative policies), but it would certainly be more
flexible to allow each domain to maintain its own security policy.

For this paticular installation the preferred setup would be not
allowing anything but ssh from certain IPs to dom0, and then have each
of the domains taking care of itself - they would be, for all intents
and purposes, standalone machines.

Sam

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>