WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] iptables in dom0

To: Sipos Ferenc <frank@xxxxxxx>
Subject: Re: [Xen-users] iptables in dom0
From: Peter Fokkinga <peter@xxxxxxxxxxx>
Date: Wed, 10 Jan 2007 23:02:16 +0100
Cc: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 10 Jan 2007 14:01:52 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <1168463971.4698.25.camel@localhost>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <1168463971.4698.25.camel@localhost>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Internet Messaging Program (IMP) H3 (4.1.3)
Quoting Sipos Ferenc <frank@xxxxxxx>:
How come then, that a
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
rule leaves me with no outbound connection? The other end cleary states
that a high port in my dom0 is not accessible to it, which means my
firewall is not stateful, as it was initiated by me (dom0)?

I don't know whether it's a bug or by design (but I don't understand
why/how either), but I had the same experience.

Furthermore, if I do the --physdev filtering like most people do, when
shall I run the script from? Right after xend starts? Is there
preferable point in time to do it during dom0's boot?

Could you confirm it is a firewall problem? In other words, if you
execute `iptables -F`, does your networking work then?

I run my firewall script after starting xend. However, I noticed that
at that time eth0 is sometimes not "up" at that moment. I worked around
that problem by adding the following two lines to my firewall script
(before calling iptables):
  /sbin/ifdown eth0 2> /dev/null
  /sbin/ifup eth0

Cheers, Peter




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>