xen-users

[Top] [All Lists]

Re: [Xen-users] Firewalls

from [Tom Eastep]

[Permanent Link][Original]

To:	xen-users@xxxxxxxxxxxxxxxxxxx
Subject:	Re: [Xen-users] Firewalls
From:	Tom Eastep <teastep@xxxxxxxxxxxxx>
Date:	Sat, 15 Apr 2006 07:23:26 -0700
Cc:	Dick Davies <rasputnik@xxxxxxxxx>
Delivery-date:	Sat, 15 Apr 2006 07:24:06 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
In-reply-to:	<3f1760604150453s73560b30v80d27c34e778ac67@xxxxxxxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<20060407090406.2a25baee@xxxxxxxxxxxxxxxxx> <20060410163925.36d53b8c@xxxxxxxxxxxxxxxxx> <3f1760604150453s73560b30v80d27c34e778ac67@xxxxxxxxxxxxxx>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	KMail/1.9.1

On Saturday 15 April 2006 04:53, Dick Davies wrote:
> > Tom Eastep <teastep@xxxxxxxxxxxxx> wrote:
> > > When xend starts,
> > > it creates a bridge (xenbr0) through which all traffic into and out
> > > of eth0 flows. See the first part of
> > > http://www.shorewall.net/Xen.html for details.
>
> Thanks for the link Tom.
>
> Is this why I can't reuse my existing iptables rules in dom0?
> I assumed the stock xen3.0.1 dom0 kernel was missing some modules.

The reason that you can't use your existing iptables rules in a Xen dom0 is 
that the networking configuration after xend starts is different from the 
environment before xend starts (there is a bridge added and traffic passing 
through that bridge is visible to netfilter; there are also additional 
interfaces added but those interfaces have no IP configuration so they don't 
present a compatibility problem).

In short, you cannot expect an existing set of iptables rules to work after 
you make a significant change to the network configuration of the host.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@xxxxxxxxxxxxx
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

pgpDd7Nq6JYiK.pgp
Description: PGP signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [Xen-users] using physical NIC, (continued) Re: [Xen-users] using physical NIC, Ryan Message not available Re: [Xen-users] using physical NIC, Ryan Re: [Xen-users] using physical NIC, Mark Williamson Re: [Xen-users] using physical NIC, Piers Dawson-Damer Re: [Xen-users] using physical NIC, Ryan Re: [Xen-users] Firewalls, Tom Eastep Re: [Xen-users] Firewalls, Christian Lyra Re: [Xen-users] Firewalls, Tom Eastep Re: [Xen-users] Firewalls, Jacob S Re: [Xen-users] Firewalls, Dick Davies Re: [Xen-users] Firewalls, Tom Eastep <= Re: [Xen-users] Firewalls, Dick Davies Re: [Xen-users] Firewalls, Yura Pismerov

Previous by Date:	[Xen-users] /lib/tls.disabled does not work, Srinivasan S
Next by Date:	Re: [Xen-users] Error: (2, 'No such file or directory'), Morten Christensen
Previous by Thread:	Re: [Xen-users] Firewalls, Dick Davies
Next by Thread:	Re: [Xen-users] Firewalls, Dick Davies
Indexes:	[Date] [Thread] [Top] [All Lists]