WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-users] Xen 3.4.2 networking help

from [Simon Hobson] [Permanent Link][Original]
To: Xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Xen 3.4.2 networking help
From: Simon Hobson <linux@xxxxxxxxxxxxxxxx>
Date: Wed, 27 Oct 2010 10:20:11 +0100
Cc:
Delivery-date: Wed, 27 Oct 2010 02:22:13 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <46C13AA90DB8844DAB79680243857F0F0AFEF6@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <865472.89218.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx><1288112346.2867.147.camel@E 4310><830769.85058.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx><p06240806c8ed7b7b3394@ simon.thehobsons.co.uk><4CC7D21A.3050200@xxxxxxxxxxx> <p06240807c8ed936f2200@xxxxxxxxxxxxxxxxxxxxxx> <46C13AA90DB8844DAB79680243857F0F0AFEF6@xxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Jonathan Tripathy wrote:
If you are refering to the OUTPUT chain of the Dom0 itself, surely you wouldn't use physdev at all? Wouldn't you just use "iptables -A OUTPUT -o ethx ...."?
Dunno about iptables specifics - I only use Shorewall and I know it's a limitation. But isn't "-o ethx" a device match ? If there was a way around the limitation, I'm sure Tom Eastep would have figured it out.
In any case, I don't block by interface on the Dom0's OUTPUT chain. No real need to when the INPUT chain is protected with "iptables -A INPUT -i ..." I only ever use physdev on the FORWARD chain, which works for both incoming and outgoing traffic.
Well for me input restrictions are sufficient on Dom0 since no-one else is running stuff on Dom0. On my DomUs I also block outbound by default so that "less security minded" users have less scope to cause problems and/or there is less scope if a machine gets compromised. 

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Xen 3.4.2 networking help, Thomas Halinka
Next by Date:  [Xen-users] Re: Problem starting Windows guests: Domain unable to be unpaused: an integer is required, Flavio
Previous by Thread:  RE: [Xen-users] Xen 3.4.2 networking help, Jonathan Tripathy
Next by Thread:  RE: [Xen-users] Xen 3.4.2 networking help, Jonathan Tripathy
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy