|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Domain0 and firewalls
On Wednesday 22 February 2006 01:14 pm, Tom Eastep wrote: <snip> > If you kernel is built with CONFIG_BRIDGE_NETFILTER=y (which most are), you > cannot totally ignore the bridge in Dom0 when configuring your firewall. > There are a couple of approaches you can take to modify a standard Shorewall > sample configuration to do what you want though: > > a) > - Add ipv4 zone 'xen' to /etc/shorewall/zones > - add the following entry to /etc/shorewall/interfaces: > > xen xenbr0 routeback > > b) > - Define explicit policies for all of your zone combinations > - change the all->all policy to ACCEPT (with no logging) > > I prefer a). It is similar to what I do (see > http://www.shorewall.net/XenMyWay.html). Thanks Tom. Since I have eth0 and eth1 I have put this in zones: fw firewall xen0 ipv4 xen1 ipv4 ..and this in interfaces: xen0 xenbr0 detect routeback xen1 xenbr1 detect routeback Perhaps xen0 would be better named loc and xen1 named dmz. Is that it? I have printed XenMyWay.html but it is going to take a while to absorb. Regards, David Koski david.nospham@xxxxxxxxxxxxxxxx _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |