WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Re: Blocking DomU NetBios

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Re: Blocking DomU NetBios
From: Ligesh <myself@xxxxxxxxxx>
Date: Wed, 13 Feb 2008 17:31:41 +0530
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
Delivery-date: Wed, 13 Feb 2008 03:36:43 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=private; d=ligesh.com; b=hEolx5ETY6KWDfiwaezO2JBJ8ItE08bvEUZM7z68zzGvQwmisb7hkro+owL+dynd;
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20080212113818.GA19475@xxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20080211235857.GA5298@xxxxxxxxxx> <47B0DDA4.8010609@xxxxxxxxxx> <20080212113818.GA19475@xxxxxxxxxx>
Reply-to: Ligesh <myself@xxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11)
I added these rules on the dom0, but they didn't have any effect whatsoever on 
the domUs. Shouldn't the domU network devices appear as physical devices on the 
dom0, and then the INPUT/OUTPUT chain just work?

 Any help would be greatly appreciated. A google search for "xen block netbios" 
is bringing this particular thread as the first result, so I guess it is not 
something that's common knowledge.

iptables -A OUTPUT -p tcp --dport 135:139 -j DROP
iptables -A OUTPUT -p udp --dport 135:139 -j DROP
iptables -A INPUT  -p tcp --dport 135:139 -j DROP
iptables -A INPUT  -p udp --dport 135:139  -j DROP
iptables -A FORWARD  -p tcp --dport 135:139 -j DROP
iptables -A FORWARD  -p udp --dport 135:139 -j DROP

Thanks.

On Tue, Feb 12, 2008 at 05:08:18PM +0530, Ligesh wrote:
> 
>  It has to be done outside of the domU. Modifying the domU is not an option 
> at all. That's a major effort if you have 30 domUs on a node already running, 
> and anyway, the idea is that domUs are run by hostile users, and all security 
> is implemented outside of it.
> 

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users