This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] XEN 4/Squeeze: Dom0 FTP Killed by Bridge; SSH Works

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] XEN 4/Squeeze: Dom0 FTP Killed by Bridge; SSH Works
From: andre.d@xxxxxxx
Date: Sat, 21 Aug 2010 12:34:31 +0200
Delivery-date: Sat, 21 Aug 2010 03:35:50 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4c6f9bb1.2104720a.5e9f.1315@xxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4c6f9bb1.2104720a.5e9f.1315@xxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hey there,

I'm using Xen 4 as per Debian Squeeze (Linux 2.6.32-5-xen-amd64, Xen 
4.0.1-rc5). Dom0 is up and running with an IPTABLES firewall I successfully 
used on the bare hardware.

The Firewall is pretty restrictive but allows for incoming SSH and outgoing FTP 
(FTP client functionality). However, outgoing FTP (FTP client functionality) is 
allowed by an ESTABLISHED, RELATED rule, rather than opening the FTP data port 

This Firewall works perfectly well with exactly this script on the bare 
hardware, that is, apt-get works, and SSH works.

Under Xen, with the peth0 bridge, SSH works, but passive FTP fails.

The system has a single eth0 network card and uses the standard Xen bridging 

The firewall rules are located in interface specific chains which are referencd 
from INPUT, OUTPUT and FORWARD by jumping to them after maching the device, as 
in -A IPNUT -i eth0 -j inp_eth0.

I have played with forwarding and ip_forward settings and set the default 
FORWARD policy to ACCEPT but all that does not change a thing.

BTW, I am wondering whether http://wiki.xensource.com/xenwiki/XenNetworking is 
correct; shouldn't it read peth0 in the IPTABLES example?

If you have the slightest idea what I may be missing here, any 
keyword/pointer/explanation would be highly appreciated.

Thank you!
Neu: GMX De-Mail - Einfach wie E-Mail, sicher wie ein Brief!  
Jetzt De-Mail-Adresse reservieren: http://portal.gmx.net/de/go/demail

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>