Re: [Xen-users] Firewalls

[Jacob S <stormspotter@xxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 7 Apr 2006 09:04:06 -0500
Jacob S <stormspotter@xxxxxxxxxxx> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello list,
> 
> I'm having trouble getting my firewall working on dom0. I do not have
> any domUs setup yet, it is just the primary dom0 running. 
> 
> I had a firewall script that worked great and did what I needed it to
> before I installed Xen. However, after installing Xen, it seems to
> block all incoming traffic (including pings). Previously it allowed
> incoming ssh, smtp, http, etc. The script uses iptables. 
> 
> I have not changed anything in the firewall script. Since it still
> uses the same ip address and the ip is still assigned to the same
> eth0 NIC, it seems like I shouldn't need to change anything in the
> firewall script. But it doesn't seem to be working that way. 
> 
> Do I need to tell the firewall about any of the xenbrX or vifX.X
> interfaces or anything to get it to work? Ip_tables is obviously
> compiled into the kernel, and I can see it is loaded when I check with
> an lsmod. I can post the iptables rules here if needed, but didn't
> want to make the e-mail extra long if it's not needed.

Thanks to someone that e-mailed me off-list, I was able to get the
firewall working by switching to network-route instead of the default
network-bride in xend-config.sxp.

So, now my question is, is it expected for network-bridge to be
incompatible with iptables, or is this a bug? 

Thanks,
Jacob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFENqUakpJ43hY3cTURAhRcAKDEhUaMfj+7Ltr18+GXKBHSodnhKgCgopZg
ulUKfeEmlhS/EN07INixODA=
=tTNU
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users