|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Domain0 and firewalls
On Wednesday 22 February 2006 08:48, David Koski wrote: > I am trying to configure a firewall (shorewall) for Domain0 and > found this document: > > http://www.shorewall.net/Xen.html > > I had tried to simply install shorewall as I have done many times > before on non-Xen systems but could not get traffic through the > interfaces (eth0, eth1). > > The document above seems to imply that both eth0 and xenbr0 > interfaces have to be configured. All I am interested in is > controlling traffic to and from Domain0, not the domUs. I want > shorewall installed on each domU. Anyone have experience with > this? Do domUs have special considerations when installing > iptables rules? Can I use iptables in Domain0 on eth0 like a > non-Xen system? If you kernel is built with CONFIG_BRIDGE_NETFILTER=y (which most are), you cannot totally ignore the bridge in Dom0 when configuring your firewall. There are a couple of approaches you can take to modify a standard Shorewall sample configuration to do what you want though: a) - Add ipv4 zone 'xen' to /etc/shorewall/zones - add the following entry to /etc/shorewall/interfaces: xen xenbr0 routeback b) - Define explicit policies for all of your zone combinations - change the all->all policy to ACCEPT (with no logging) I prefer a). It is similar to what I do (see http://www.shorewall.net/XenMyWay.html). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@xxxxxxxxxxxxx PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |