|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Firewalls
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 7 Apr 2006 13:15:27 -0700 Tom Eastep <teastep@xxxxxxxxxxxxx> wrote: > On Friday 07 April 2006 10:44, Jacob S wrote: > > > > > So, now my question is, is it expected for network-bridge to be > > incompatible with iptables, or is this a bug? > > > > Neither -- it is rather your lack of understanding of how bridges > (like the one created by xend) and iptables/Netfilter interact. > > When your kernel is compiled with CONFIG_BRIDGE_NETFILTER=y, traffic > passing through bridges is processed by Netfilter. When xend starts, > it creates a bridge (xenbr0) through which all traffic into and out > of eth0 flows. See the first part of > http://www.shorewall.net/Xen.html for details. > > So to make your existing script work in dom0, at the very least you > need to add: > > $IPTABLES -A FORWARD -i xenbr0 -o xenbr0 -j ACCEPT > > Configuring a secure firewall in dom0 that also controls traffic > to/from the domUs is a rather complex task -- I find it easier to run > my firewall in a domU (see http://www.shorewall.net/XenMyWay.html). Thanks, Tom. That looks like exactly what I was looking for. Great tutorials. Jacob -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEOtCQkpJ43hY3cTURAuwjAKC2C19WPmjuLSK5zVmT1xDpqJkyIACgvgcl WVSbJFWGc6rkM5ijNsrsa7c= =te3A -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |