WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] firewalls and Xen

To: Luke <secureboot@xxxxxxxxx>
Subject: Re: [Xen-users] firewalls and Xen
From: Daniel Goertzen <goertzen@xxxxxxxx>
Date: Tue, 14 Feb 2006 09:27:40 -0600
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 14 Feb 2006 15:40:03 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <796A7B7A-174F-4A38-865B-09D316F8CAE8@xxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <796A7B7A-174F-4A38-865B-09D316F8CAE8@xxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)
I'm not sure if it makes sense to include peth0 and vif0.0 in your rules, as you mucking around with interfaces that are in the same bridge. If you're just trying to firewall dom0 you should do something like:

interface eth0 mydom0
  server http accept
  client all accept
  ...

Blocking traffic to the domU: Think of the domU as sitting on the same lan that dom0's eth0 is connected to. Add rules to block traffic from domU's IP address. If you *really* want to filter by interface, you might want to think about using xen's routed configuration instead of the bridged config.

Cheers,
Dan.

Luke wrote:

I'm trying to do firewalling on Xen, and am becoming a bit confused.
I want to do filtering based on the interface name for a number of rules.

I'd like to say:
anything coming into dom0 from the internet is okay.

I tried:
anything coming in on physical interface peth0 with outgoing physical interface vif0.0 is okay.

This seems to work.



The one that doesn't work:

I want to say -
anything from any domU to dom0 is NOT okay

I said:
if physical interface of incoming packets is not peth0 and destination physical interface is vif0.0 reject.

This doesn't seem to work, as the dom0 is no longer able to connect to things.


Is there a good discussion as to which interfaces packets go to/from in which cases? When do packets go through peth0? When do they only go through the vif devices?

I'm using firehol to generate the IPTables scripts...



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>