Hi, Ive built a new server using xen debian lenny packages. Im trying to firewall dom 0 which i can do ok but it then blocks access to the dom Us. Has anyone managed to do this successfully? Thanks Ian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
----- "Ian Tobin" <itobin@tidyhosts.com> wrote:> Ive built a new server using xen debian lenny packages. Im trying to > firewall dom 0 which i can do ok but it then blocks access to the dom > Us. Has anyone managed to do this successfully?Are you trying to restrict access to the Dom0 using iptables? According to this page (http://wiki.xensource.com/xenwiki/XenNetworking) at the Xen Wiki, packets crossing the bridge interface into a vif pass through the FORWARD chain of iptables. If this chain has a default policy of DROP or REJECT, then packets passing through the bridge to the DomUs will be impeded. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Yes im trying to restrict traffic to Dom 0. Im not quite sure what policy to set, I did have one setup before when i used the source version of Xen but deb version is causing problems when I apply the firewall script. Do you have a default one you use? Thanks Ian -----Original Message----- From: Thaddeus Hogan [mailto:thaddeus@thogan.com] Sent: 24 June 2009 02:20 To: Ian Tobin Cc: xen-users@lists.xensource.com Subject: Re: [Xen-users] Dom 0 firewall ----- "Ian Tobin" <itobin@tidyhosts.com> wrote:> Ive built a new server using xen debian lenny packages. Im trying to > firewall dom 0 which i can do ok but it then blocks access to the dom > Us. Has anyone managed to do this successfully?Are you trying to restrict access to the Dom0 using iptables? According to this page (http://wiki.xensource.com/xenwiki/XenNetworking) at the Xen Wiki, packets crossing the bridge interface into a vif pass through the FORWARD chain of iptables. If this chain has a default policy of DROP or REJECT, then packets passing through the bridge to the DomUs will be impeded. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Am 23.06.2009 23:17, schrieb Ian Tobin:> Hi, > > Ive built a new server using xen debian lenny packages. Im trying to > firewall dom 0 which i can do ok but it then blocks access to the dom > Us. Has anyone managed to do this successfully?I have done this a while ago, may be it helps. http://wiki.xensource.com/xenwiki/shorewall florian> > Thanks > > Ian > > > ------------------------------------------------------------------------ > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Ian Tobin wrote:> Yes im trying to restrict traffic to Dom 0. > > Im not quite sure what policy to set, I did have one setup before when i used the source version of Xen but deb version is causing problems when I apply the firewall script. > > Do you have a default one you use? > > Thanks > > IanHi, As I always say, the firewall goal is not always to block / reject. Here''s our rate limiting script: http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen-firewall.init;h=49a644e010fcf532ef845e11348dffc316d966f5;hb=c15d392e6d4760c7c01df17941e0fec2c898010d It works with the following config file: http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=etc/dtc-xen/dtc-xen-firewall-config;h=1d58eb0f84636df8d85d5ec73b8d0bdb39922ef1;hb=c15d392e6d4760c7c01df17941e0fec2c898010d If others have some ideas to implement in this general purpose anti-DoS firewall script, I''d be VERY happy to have contributions. Thomas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Ian Tobin wrote:> Yes im trying to restrict traffic to Dom 0. > > Im not quite sure what policy to set, I did have one setup before when i used the source version of Xen but deb version is causing problems when I apply the firewall script. > > Do you have a default one you use? > > Thanks > > IanOh, and forgot, there''s a RedHat (RPM) and Debian (deb) package that goes with it... That might be more easy to setup! What OS do you use in your dom0? Thomas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Thomas,> If others have some ideas to implement in this general purpose anti-DoS > firewall script, I''d be VERY happy to have contributions.The default setting for ip_pkt_list_tot is 20 which means that having --hitcount set greater than 20 will always fail. You can increase this setting (when loading the module or at boot), but the maximum value allowed is 255. Cheers, Brad _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi, Its Debian Lenny, XEN is installed from the Deb packages Thanks Ian -----Original Message----- From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Thomas Goirand Sent: 25 June 2009 01:36 To: xen-users@lists.xensource.com Subject: Re: [Xen-users] Dom 0 firewall Ian Tobin wrote:> Yes im trying to restrict traffic to Dom 0. > > Im not quite sure what policy to set, I did have one setup before when i used the source version of Xen but deb version is causing problems when I apply the firewall script. > > Do you have a default one you use? > > Thanks > > IanOh, and forgot, there's a RedHat (RPM) and Debian (deb) package that goes with it... That might be more easy to setup! What OS do you use in your dom0? Thomas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users