[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Domain0 and firewalls

On Wednesday 22 February 2006 08:48, David Koski wrote:
> I am trying to configure a firewall (shorewall) for Domain0 and
> found this document:
> http://www.shorewall.net/Xen.html
> I had tried to simply install shorewall as I have done many times
> before on non-Xen systems but could not get traffic through the
> interfaces (eth0, eth1).
> The document above seems to imply that both eth0 and xenbr0
> interfaces have to be configured. All I am interested in is
> controlling traffic to and from Domain0, not the domUs. I want
> shorewall installed on each domU. Anyone have experience with
> this? Do domUs have special considerations when installing
> iptables rules? Can I use iptables in Domain0 on eth0 like a
> non-Xen system?

If you kernel is built with CONFIG_BRIDGE_NETFILTER=y (which most are), you 
cannot totally ignore the bridge in Dom0 when configuring your firewall. 
There are a couple of approaches you can take to modify a standard Shorewall 
sample configuration to do what you want though:

        - Add ipv4 zone 'xen' to /etc/shorewall/zones 
        - add the following entry to /etc/shorewall/interfaces:

                xen     xenbr0          routeback

        - Define explicit policies for all of your zone combinations
        - change the all->all policy to ACCEPT (with no logging)

I prefer a). It is similar to what I do (see 

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@xxxxxxxxxxxxx
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.