Hey folks I have installed Xen on a machine and everything works so amazingly well. I can run ttylinux and some of those premade distribution images. My networking setup is very simple and is as follows: Internet <---> eth0 <---> xen-br0 <----> Xen guests I do have two questions: First, I''ve noticed that on most bridging HOWTO''s they state that eth0 should be set to 0.0.0.0, however I''ve noticed that on my machine it is configured with an IP (via the distribution init scripts) and that xen-br0 simply copies its IP. Is this normal ? Also, I''ve noticed that when I do run a xen guest, it creates a network port to do whatever it does. My concern is that I''ve noticed I can reach this port from the outside world and I assume that may be a security risk. So I was wondering are there iptable scripts to lock down a xen machine ? or a bridging setup ? I don''t understand too much about this bridging networking, so I wouldn''t really know how to go about creating an iptables script for the host. Thanks!! Dana _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Monday 16 May 2005 10:17 am, Dana Lux wrote:> I don''t understand too much about this bridging networking, so I > wouldn''t really know how to go about creating an iptables script for > the host. >I''m not too sure either, buuuut I''ve noticed that when you do iptables BLAH BLAH BLAH -i eth0 it doesn''t work, while .... iptables BLAH BLAH BLAH works fine *shrug* Sunny Dubey _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Dominique Rousseau
2005-May-17 07:11 UTC
Re: [Xen-users] Securing the host''s networking ?
Le Mon, May 16, 2005 at 10:17:34AM -0400, Dana Lux [dana.lux@gmail.com] a écrit:> Internet <---> eth0 <---> xen-br0 <----> Xen guests > > I do have two questions: > > First, I''ve noticed that on most bridging HOWTO''s they state that eth0 > should be set to 0.0.0.0, however I''ve noticed that on my machine it > is configured with an IP (via the distribution init scripts) and that > xen-br0 simply copies its IP. Is this normal ?Yes, that''s how it is supposed to be (in a simple case like yours). The matter is that an interface that once an interface is part of a bridge it doesn''t see traffic on ethX anymore but on brX, so in cases described in the HOWTOs they just consider that ethX should as well have 0.0.0.0 But in the case of the xen scripts, they just copy the IP of ethX to brX so as not to cut the network link. Dom -- Dominique Rousseau Neuronnexion, Prestataire Internet & Intranet 57, route de Paris 80000 Amiens tel: 03 22 71 61 90 - fax: 03 22 71 61 99 - http://www.neuronnexion.fr _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users