This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Domain0 and firewalls

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Domain0 and firewalls
From: Tom Eastep <teastep@xxxxxxxxxxxxx>
Date: Wed, 22 Feb 2006 13:14:51 -0800
Delivery-date: Wed, 22 Feb 2006 21:15:22 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <200602220848.07830.david@xxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <200602220848.07830.david@xxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.8.2
On Wednesday 22 February 2006 08:48, David Koski wrote:
> I am trying to configure a firewall (shorewall) for Domain0 and
> found this document:
> http://www.shorewall.net/Xen.html
> I had tried to simply install shorewall as I have done many times
> before on non-Xen systems but could not get traffic through the
> interfaces (eth0, eth1).
> The document above seems to imply that both eth0 and xenbr0
> interfaces have to be configured. All I am interested in is
> controlling traffic to and from Domain0, not the domUs. I want
> shorewall installed on each domU. Anyone have experience with
> this? Do domUs have special considerations when installing
> iptables rules? Can I use iptables in Domain0 on eth0 like a
> non-Xen system?

If you kernel is built with CONFIG_BRIDGE_NETFILTER=y (which most are), you 
cannot totally ignore the bridge in Dom0 when configuring your firewall. 
There are a couple of approaches you can take to modify a standard Shorewall 
sample configuration to do what you want though:

        - Add ipv4 zone 'xen' to /etc/shorewall/zones 
        - add the following entry to /etc/shorewall/interfaces:

                xen     xenbr0          routeback

        - Define explicit policies for all of your zone combinations
        - change the all->all policy to ACCEPT (with no logging)

I prefer a). It is similar to what I do (see 

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@xxxxxxxxxxxxx
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>