Re: [Xen-users] Firewall settings for domUs in Xen!

["Fajar A. Nugraha" <fajar@xxxxxxxxx>]

On Fri, Mar 5, 2010 at 6:43 PM, Jan Muhammad <janmuhd@xxxxxxxxx> wrote:
>
> Hi,
>
> I've setup debian based Xen (dom0) with two domUs of the same OS flavour; I'm 
> using bridging and static IPs for my domUs.
> I wonder either the firewall settings for dom0 are enough to protect domUs

bridged traffic is also filtered by dom0's iptables on default setup,
but the default rule is "allow all traffic that belongs to domU's
interface". The rule is like this

-A FORWARD -m state --state RELATED,ESTABLISHED -m physdev
--physdev-out vif2.0 -j ACCEPT
-A FORWARD -m physdev  --physdev-in vif2.0 -j ACCEPT

I highly suggest you leave it as it is, as filtering domUs traffic on
domU can lead to a complex setup.

> or do I need to setup separate firewall rules for domUs individually.

That would be best. When setting up bridged networking, it's easiest
to think of dom0 like a switch. Think of domU like any other physical
machine on the network. Do what you usually do to setup firewall on
physical machines.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users