[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewalls

On Friday 07 April 2006 10:44, Jacob S wrote:

> So, now my question is, is it expected for network-bridge to be
> incompatible with iptables, or is this a bug?

Neither -- it is rather your lack of understanding of how bridges (like the 
one created by xend) and iptables/Netfilter interact.

When your kernel is compiled with CONFIG_BRIDGE_NETFILTER=y, traffic passing 
through bridges is processed by Netfilter. When xend starts, it creates a 
bridge (xenbr0) through which all traffic into and out of eth0 flows.
See the first part of http://www.shorewall.net/Xen.html for details.

So to make your existing script work in dom0, at the very least you need to 

        $IPTABLES -A FORWARD -i xenbr0 -o xenbr0 -j ACCEPT

Configuring a secure firewall in dom0 that also controls traffic to/from the 
domUs is a rather complex task -- I find it easier to run my firewall in a 
domU (see http://www.shorewall.net/XenMyWay.html).

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@xxxxxxxxxxxxx
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: pgpvp_Y_nNM4c.pgp
Description: PGP signature

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.