WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] dom0 iptables FORWARD default DROP?

from [John Hannfield] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] dom0 iptables FORWARD default DROP?
From: "John Hannfield" <hal9020@xxxxxxxxx>
Date: Sat, 25 Nov 2006 10:47:47 +0000
Delivery-date: Sat, 25 Nov 2006 02:48:05 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=t2B9vXlH7k6U8MlpSnAWhFPxpngCEe06Jyy1aEJZHhx1bYyzKWMU25RLOgYG8QXlv3ERJVomHwrGEVuA3omysmWqRqgfwBMPs68VbhSXM2FLBsMitpmCWW2CCRfCWPFLlj1H/njPGbN6IBuYZIsp86NrMc1STYyj1z79nqvBJQk=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Hello,
What is the best policy for the FORWARD chain in dom0 iptables?
Can I use a default DROP policy?
I notice when domains are created it adds the extra rules to the
FORWARD chain, to
allow traffic to the guests. However, if iptables is restarted, all
these rules are lost.

Do I need a rule per VPS, or can I use a single catch all to handle all of them?

http://wiki.xensource.com/xenwiki/XenNetworking
Suggests using this:

-A FORWARD -m physdev --physdev-in eth0  ! --physdev-out  eth0  -j ACCEPT
-A FORWARD -m physdev --physdev-out eth0 ! --physdev-in  eth0  -j ACCEPT

What is the recommended way to handle the FORWARD chain in dom0 iptables?

--

John

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] dom0 iptables FORWARD default DROP?, John Hannfield <=
Previous by Date:  Re: [Xen-users] Time/clock issues with Xen 3.0.3?, Tim Post
Next by Date:  Re: [Xen-users] HVM success reports required for wiki, Andreas Fromm
Previous by Thread:  [Xen-users] HVM success reports required for wiki, Ben
Next by Thread:  [Xen-users] xen and madwifi, Jan Bernatik
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy