|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Firewalls
On Friday 07 April 2006 10:44, Jacob S wrote: > > So, now my question is, is it expected for network-bridge to be > incompatible with iptables, or is this a bug? > Neither -- it is rather your lack of understanding of how bridges (like the one created by xend) and iptables/Netfilter interact. When your kernel is compiled with CONFIG_BRIDGE_NETFILTER=y, traffic passing through bridges is processed by Netfilter. When xend starts, it creates a bridge (xenbr0) through which all traffic into and out of eth0 flows. See the first part of http://www.shorewall.net/Xen.html for details. So to make your existing script work in dom0, at the very least you need to add: $IPTABLES -A FORWARD -i xenbr0 -o xenbr0 -j ACCEPT Configuring a secure firewall in dom0 that also controls traffic to/from the domUs is a rather complex task -- I find it easier to run my firewall in a domU (see http://www.shorewall.net/XenMyWay.html). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@xxxxxxxxxxxxx PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Attachment:
pgpvp_Y_nNM4c.pgp _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |