I took over a custom firewall script from my older Suse machines to my Dom-Us and it works just fine. Doing the same for Dom-0 immediately killed all traffic for the VMs. As there was no need before I had been dropping everything on the FORWARD chain. After ACCEPTing all for FORWARD my VMs are happy again. What's best practice on Dom-0, what do you do? Can I restrict the forwarding, in which way? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Kai Schaetzl wrote: > What's best practice on Dom-0, what do you do? Can I restrict the > forwarding, in which way? I use vmware, not XEN, but I think everything is the same, as if you have physical machines. I use shorewall everywhere and find it great. http://shorewall.net rpms: http://www.invoca.ch/pub/packages/shorewall/ HTH -- Sincerely, John Thomas
John Thomas wrote on Sun, 13 Jul 2008 07:44:14 -0700: > but I think everything is the same, as if you > have physical machines. It's not, see my remark about forwarding ;-) Maybe you need forwarding on your physical machines, I do not ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
On Sun, Jul 13, 2008 at 2:19 PM, Kai Schaetzl <maillists@conactive.com> wrote: > I took over a custom firewall script from my older Suse machines to my > Dom-Us and it works just fine. Doing the same for Dom-0 immediately killed > all traffic for the VMs. As there was no need before I had been dropping > everything on the FORWARD chain. After ACCEPTing all for FORWARD my VMs > are happy again. > What's best practice on Dom-0, what do you do? Can I restrict the > forwarding, in which way? For restricting traffic at the dom0 level I use ebtables (it's like iptables but on a bridge level). It allows you to to basic filtering between the real interfaces (from the dom0) and virtual interfaces (from the domU's). This off course works because Xen is using bridges to link the real interfaces with the virtual ones. Regards, Tim -- Tim Verhoeven - tim.verhoeven.be@gmail.com - 0479 / 88 11 83 Hoping the problem magically goes away by ignoring it is the "microsoft approach to programming" and should never be allowed. (Linus Torvalds)
Tim Verhoeven wrote on Thu, 17 Jul 2008 10:15:49 +0200: > For restricting traffic at the dom0 level I use ebtables (it's like > iptables but on a bridge level). It allows you to to basic filtering > between the real interfaces (from the dom0) and virtual interfaces > (from the domU's). This off course works because Xen is using bridges > to link the real interfaces with the virtual ones. Thanks for the answer :-) I know of ebtables, but not too much. As I understand it I don't really need it if I run iptables on both host and guests. What I'm wondering about is that xend adds a forwarding rule each time a dom-U is started. Like this: Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif1.0 ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif2.0 ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif3.0 However, if I flush that chain I do not see any difference, networking for the dom-U works like before. And, on the other hand, if I attempt to flush all chains with the exception of this single chain (to keep it like Xen wanted it to be, just to be sure) I get an error "too many links" or so. Which means if I want to establish my own rules and make sure that all old rules get reset - with the exception of the forward chain - I can't. At least I haven't found another way to achieve that. Is there? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com