WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] firewalls and Xen

from [Luke] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] firewalls and Xen
From: Luke <secureboot@xxxxxxxxx>
Date: Tue, 14 Feb 2006 10:38:09 -0500
Delivery-date: Tue, 14 Feb 2006 15:51:11 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <43F1F6EC.4010207@xxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <796A7B7A-174F-4A38-865B-09D316F8CAE8@xxxxxxxxx> <43F1F6EC.4010207@xxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 

On Feb 14, 2006, at 10:27 AM, Daniel Goertzen wrote:
I'm not sure if it makes sense to include peth0 and vif0.0 in your rules, as you mucking around with interfaces that are in the same bridge.
Isn't this what the bridge interface filtering tools are for? If I can just figure out when packets go through each interface, I should be able to do it (see IPTables or Firehol's physin/physout commands). 


If you're just trying to firewall dom0 you should do something like:


I need to do more than that, however.
Blocking traffic to the domU: Think of the domU as sitting on the same lan that dom0's eth0 is connected to. Add rules to block traffic from domU's IP address. If you *really* want to filter by interface, you might want to think about using xen's routed configuration instead of the bridged config.
I'd really rather not introduce that complication, since all I need to figure out is which virtual interfaces these types of packets go from/to. Plus, I'd really like to understand the packet flow through Xen's dom0 and domUs 

Thanks

--
Luke

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] in a domU, 6 network interfaces wanted, only 3 seen, Sébastien Munch
Next by Date:  RE: [Xen-users] might XenSpecificGlibc help me?, Petersson, Mats
Previous by Thread:  Re: [Xen-users] firewalls and Xen, Daniel Goertzen
Next by Thread:  Re: [Xen-users] firewalls and Xen, Ernst Bachmann
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy