WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] latest GPLPV drivers 0.10.0.86 and microsoft.com

To: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>, "Fajar A. Nugraha" <fajar@xxxxxxxxx>, "Ian Tobin" <itobin@xxxxxxxxxxxxx>
Subject: RE: [Xen-users] latest GPLPV drivers 0.10.0.86 and microsoft.com
From: "Nick Couchman" <Nick.Couchman@xxxxxxxxx>
Date: Tue, 08 Sep 2009 10:58:06 -0600
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 08 Sep 2009 09:59:18 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx

Actually, firewalling the dom0 *can* impact domUs, depending on how you do it.  You can put firewall rules onto a physical interface that affect all of the traffic that goes through that interface, whether the destination is the dom0 or not.  In fact, if you put iptables rules in place on your dom0 that limit access from outside to port 22 on the dom0 IP, that is going to eliminate all traffic except the traffic destined for dom0.  You need to construct your rules in such a way as to make sure traffic can flow between dom0 and outside and domUs and outside.


-Nick

>>> On 2009/09/08 at 08:22, "Ian Tobin" <itobin@xxxxxxxxxxxxx> wrote:

But firewalling Dom 0 doesn't affect the VMs? 

And also if you did that you might not want to block certain ports as it
could be different on every VM.

BTW what is the best way of firewalling a Dom 0 built from the lenny
debs?

Thanks

Ian



-----Original Message-----
From: James Harper [mailto:james.harper@xxxxxxxxxxxxxxxx]
Sent: 08 September 2009 14:03
To: Ian Tobin; Fajar A. Nugraha
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] latest GPLPV drivers 0.10.0.86 and
microsoft.com

>
> In the end this turned out to be some worm getting onto the VPS before
> we had chance to enable the firewall so now we are building the images
> offline, enabling the firewall and putting them on the net.
>
> Very strange how quickly it got infected but lessons learned.
>
> Big thanks for James and Fajar for the advice.
>
> On another note we cant put a perimeter firewall in place as the
servers
> are on the internet in the datacenter.
>

You could firewall in Dom0 though.

Here (http://isc.sans.org/diary.html?storyid=7093&rss) is another good
reason why you should firewall early and firewall often :)

James





<br><hr>
This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>
  • RE: [Xen-users] latest GPLPV drivers 0.10.0.86 and microsoft.com, Nick Couchman <=