|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-users] Xen 3.4.2 networking help
Jonathan Tripathy wrote: If you are refering to the OUTPUT chain of the Dom0 itself, surely you wouldn't use physdev at all? Wouldn't you just use "iptables -A OUTPUT -o ethx ...."? Dunno about iptables specifics - I only use Shorewall and I know it's a limitation. But isn't "-o ethx" a device match ? If there was a way around the limitation, I'm sure Tom Eastep would have figured it out. In any case, I don't block by interface on the Dom0's OUTPUT chain. No real need to when the INPUT chain is protected with "iptables -A INPUT -i ..." I only ever use physdev on the FORWARD chain, which works for both incoming and outgoing traffic. Well for me input restrictions are sufficient on Dom0 since no-one else is running stuff on Dom0. On my DomUs I also block outbound by default so that "less security minded" users have less scope to cause problems and/or there is less scope if a machine gets compromised. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |