Hi, Reading up on many articles in the mailing list and wikki and on the web I still can''t figure out how to secure dom0 without affecting the domU instances. How can I only allow (or even disallow altogether) dom0 traffic while not affecting domU instances? I tried creating a new chain just for dom0 -A FORWARD -m physdev --physdev-in vif0.0 -j NODE while it appears the traffic for dom0 goes on to this rule it appears if I setup the chain as what''s listed below. performing a nmap still shows all ports are open. # allow icmp packets -A NODE -p icmp --icmp-type any -j ACCEPT # allow existing traffic through -A NODE -i vif0.0 -m state --state ESTABLISHED,RELATED -j ACCEPT # allow DNS traffic through -A NODE -p 50 -j ACCEPT -A NODE -p 51 -j ACCEPT -A NODE -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # reject all other ports -A NODE -j REJECT --reject-with icmp-host-prohibited Anyone have any ideas how to secure dom0?? Thanks. -L -- Larry Ludwig Empowering Media 1-866-792-0489 x600 Have you visited our customer service blog? http://www.supportem.com/blog/ _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users