Xen users - Apr 2006 - IpTables config file for Dom0

Hi,
  I''m still having trouble with my IPTables configuration for Dom0.
Personally I''ve always edited the IPTables file directly:-
/etc/sysconfig/iptables
If someone could please give me a copy of their IPTables config file for Dom0
I''d very much appreciate it. I''m running FC4 and Xen is acting
as a Bridge. ifconfig gives me:-

eth0      Link encap:Ethernet  HWaddr 00:30:48:56:60:32
          inet addr:my.ip.add.180  Bcast:my.ip.add.191  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5224433 errors:0 dropped:0 overruns:0 frame:0
          TX packets:100625 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:349329834 (333.1 MiB)  TX bytes:26844669 (25.6 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1958 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1958 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:348309 (340.1 KiB)  TX bytes:348309 (340.1 KiB)

peth0     Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:67937788 errors:0 dropped:0 overruns:0 frame:0
          TX packets:71870691 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:15816156801 (14.7 GiB)  TX bytes:35775068344 (33.3 GiB)
          Interrupt:49
vif0.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:286936 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5649081 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:74916083 (71.4 MiB)  TX bytes:385133846 (367.2 MiB)

vif24.0   Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:71490158 errors:0 dropped:0 overruns:0 frame:0
          TX packets:67253334 errors:0 dropped:604 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:35302634814 (32.8 GiB)  TX bytes:15303385139 (14.2 GiB)

vif24.1   Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:5251680 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

vif26.0   Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:75130 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5233980 errors:0 dropped:439 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:10136457 (9.6 MiB)  TX bytes:396055348 (377.7 MiB)

xenbr0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5408593 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:284947140 (271.7 MiB)  TX bytes:0 (0.0 b)

If someone could please help it woudl be much appreciated. If I could see an
example of a working config file, even a very basic one then I''m sure I
could figure out what I need to do.


Lyle

------------------------------------------------------------
Lyle Hopkins          - CosmicPerl.com CGI Scripts -
Internet software solutions for the professional webmaster
Email: webmaster@cosmicperl.com
Web site: http://www.cosmicperl.com
Specializing in Affiliate Software solutions
------------------------------------------------------------

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

xen@cosmicnetworks.com wrote:
> I''m still having trouble with my IPTables configuration for Dom0.
> If someone could please give me a copy of their IPTables config
> file for Dom0 I''d very much appreciate it.
Hopefully there exists some sort of GUI tool for editing the iptables
configuration.

Non-GUI-managed firewalls?
When was that considered practical.. circa 1980?

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Am Dienstag 25 April 2006 18:34 schrieb Molle Bestefich:
> Non-GUI-managed firewalls?
> When was that considered practical.. circa 1980?
Huh? I don''t use a GUI to manage our firewall, and that''s
pretty standard for
all organizations I know around here. Using a GUI to manage a firewall (and 
hiding the inherent complexity that a firewall always is), is more errorprone 
than an administrator who knows what he''s doing and can reasonably 
efficiently see what parts of the system a change to the firewall rules would 
affect, additionally, an administrator can compute much shorter rulesets than 
an equivalent automated tool.

Of course, this only applies to one-level firewalling; if you have two or more 
levels, a helper certainly is in order, especially if you need to trace 
packet paths. But a GUI? Why?

Anyway, I''d happily post our /etc/sysconfig/iptables (which is pretty
standard
stuff), if there was such a beast under Gentoo, but alas, there isn''t.
It''s
not RedHat.

--- Heiko.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi,
On 25 Apr 2006, at 18:47, Heiko Wundram wrote:
> Anyway, I''d happily post our /etc/sysconfig/iptables (which is  
> pretty standard
> stuff), if there was such a beast under Gentoo, but alas, there  
> isn''t. It''s
> not RedHat.
I think there is - under Gentoo, the command iptables-save should  
output your rules, or /var/lib/iptables/rules-save contains them.

Yours,
Craig
--
Craig Webster | t: +44 (0)131 516 8595 | e: craig@xeriom.net
Xeriom.NET    | f: +44 (0)131 661 0689 | w: http://xeriom.net

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Heiko Wundram wrote:
> Molle Bestefich:
> > Non-GUI-managed firewalls?
> > When was that considered practical.. circa 1980?
>
> Huh? I don''t use a GUI to manage our firewall, and that''s
pretty standard for
> all organizations I know around here.
If you had tried it, I don''t think you would be going back to editing
configuration files :-).
> Using a GUI to manage a firewall (and
> hiding the inherent complexity that a firewall always is), is more
errorprone
> than an administrator who knows what he''s doing and can reasonably
> efficiently see what parts of the system a change to the firewall rules
would
> affect,
I don''t think that''s true.
In fact, I''ll bet that the non-GUI user introduces many more errors
because he has a lack of overview in comparison to the GUI user.
> additionally, an administrator can compute much shorter
> rulesets than an equivalent automated tool.
Who said anything about automated?

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I happily manage via ssh, Shorewall iptables rules for Dom0-DomU  
routing, with three external public IP addresses, and two vpn WANs.
Shorewall version 3 is fantastic. Especially if you''re prepared to  
properly paramatise your script.
I don''t feel I''d trust a GUI.
Appologies for off-topic.

piersdd@imap-mail.com
http://web.mac.com/piersdd/iWeb/Five9s/ethereality/ethereality.html

On 27/04/2006, at 10:30 AM, Molle Bestefich wrote:
> Heiko Wundram wrote:
>> Molle Bestefich:
>>> Non-GUI-managed firewalls?
>>> When was that considered practical.. circa 1980?
>>
>> Huh? I don''t use a GUI to manage our firewall, and
that''s pretty
>> standard for
>> all organizations I know around here.
>
> If you had tried it, I don''t think you would be going back to
editing
> configuration files :-).
>
>> Using a GUI to manage a firewall (and
>> hiding the inherent complexity that a firewall always is), is more  
>> errorprone
>> than an administrator who knows what he''s doing and can
reasonably
>> efficiently see what parts of the system a change to the firewall  
>> rules would
>> affect,
>
> I don''t think that''s true.
> In fact, I''ll bet that the non-GUI user introduces many more
errors
> because he has a lack of overview in comparison to the GUI user.
>
>> additionally, an administrator can compute much shorter
>> rulesets than an equivalent automated tool.
>
> Who said anything about automated?
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Am Donnerstag 27 April 2006 02:30 schrieben Sie:
> Heiko Wundram wrote:
> > Huh? I don''t use a GUI to manage our firewall, and
that''s pretty standard
> > for all organizations I know around here.
>
> If you had tried it, I don''t think you would be going back to
editing
> configuration files :-).
I did try it, more than once, and I sure as hell always went back editing 
configuration files every single time, because I felt that I could achieve my 
goal faster, and inherently less error-prone that way. ;-)
> > Using a GUI to manage a firewall (and
> > hiding the inherent complexity that a firewall always is), is more
> > errorprone than an administrator who knows what he''s doing
and can
> > reasonably efficiently see what parts of the system a change to the
> > firewall rules would affect,
>
> I don''t think that''s true.
> In fact, I''ll bet that the non-GUI user introduces many more
errors
> because he has a lack of overview in comparison to the GUI user.
That''s not true. Normally, the firewall administrator will be a job
with a
dedicated person, who only takes care of the firewall, and doesn''t
rotate
between several different people. The firewall administrator knows what the 
firewall looks like (at the moment), and so, it should be easy for him to 
remember the general layout of the current ruleset, and also to remember 
changes he did to that (because he probably also designed the firewall) to 
implement a new ruleset. A GUI doesn''t make it easier to remember the 
ruleset; you just get icons which signify what the current ruleset basically 
looks like. That doesn''t make it easier, it makes it more colorful.
> > additionally, an administrator can compute much shorter
> > rulesets than an equivalent automated tool.
>
> Who said anything about automated?
Have you seen what amounts of cruft FWBuilder spits out? I''d call that
magic
and automated.

--- Heiko.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users