Xen users - Mar 2010 - Firewall settings for domUs in Xen!

Hi,

I''ve setup debian based Xen (dom0) with two domUs of the same OS
flavour; I''m using bridging and static IPs for my domUs.
I wonder either the firewall settings for dom0 are enough to protect domUs or do
I need to setup separate firewall rules for domUs individually. I had a look
through on Xen-wiki (http://wiki.xensource.com/xenwiki/XenNetworking) but
couldn''t find exact item on this in detail.

Many thanks for help!  

-Jan




      

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Fri, Mar 5, 2010 at 6:43 PM, Jan Muhammad <janmuhd@yahoo.com>
wrote:
>
> Hi,
>
> I''ve setup debian based Xen (dom0) with two domUs of the same OS
flavour; I''m using bridging and static IPs for my domUs.
> I wonder either the firewall settings for dom0 are enough to protect domUs
bridged traffic is also filtered by dom0''s iptables on default setup,
but the default rule is "allow all traffic that belongs to domU''s
interface". The rule is like this

-A FORWARD -m state --state RELATED,ESTABLISHED -m physdev
--physdev-out vif2.0 -j ACCEPT
-A FORWARD -m physdev  --physdev-in vif2.0 -j ACCEPT

I highly suggest you leave it as it is, as filtering domUs traffic on
domU can lead to a complex setup.
> or do I need to setup separate firewall rules for domUs individually.
That would be best. When setting up bridged networking, it''s easiest
to think of dom0 like a switch. Think of domU like any other physical
machine on the network. Do what you usually do to setup firewall on
physical machines.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users