WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] Xen 3.4.2 networking help

Jonathan Tripathy wrote:

If you are refering to the OUTPUT chain of the Dom0 itself, surely you wouldn't use physdev at all? Wouldn't you just use "iptables -A OUTPUT -o ethx ...."?

Dunno about iptables specifics - I only use Shorewall and I know it's a limitation. But isn't "-o ethx" a device match ? If there was a way around the limitation, I'm sure Tom Eastep would have figured it out.

In any case, I don't block by interface on the Dom0's OUTPUT chain. No real need to when the INPUT chain is protected with "iptables -A INPUT -i ..." I only ever use physdev on the FORWARD chain, which works for both incoming and outgoing traffic.

Well for me input restrictions are sufficient on Dom0 since no-one else is running stuff on Dom0. On my DomUs I also block outbound by default so that "less security minded" users have less scope to cause problems and/or there is less scope if a machine gets compromised.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users