[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Problem start iptables - udp broken

  • To: "Bill Maidment" <bill@xxxxxxxxxxx>, tlehmann@xxxxxxxxxxxxx
  • From: "Abel Martín" <abel.martin.ruiz@xxxxxxxxx>
  • Date: Tue, 28 Nov 2006 12:51:15 +0100
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Tue, 28 Nov 2006 03:51:27 -0800
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=awupAT2duqVKas/bbOQCP1oHxzvx+uTeRIYq5IQ+5rMOxP4+t+1xZGyvR6C51C859AjavMOPUouYk6WjsmvdqpJCmuBYy1/lVCsfoNjCO1sN8q2YBa1Z3/KTgb+KE9Y3cszfNGc9CTOdaZno7SbZ+9xuLejJPfEQAhPMseGglzI=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
On 11/28/06, Bill Maidment <bill@xxxxxxxxxxx> wrote:

On Tue, 28 Nov 2006 10:22:53 +0100, Abel Martín wrote

> I forgot to ask you. Are you trying to filter traffic for domU in
> dom0? If you are trying to do this with iptables and Xen bridged
> networking it has no sense, since a bridged device is a link layer
> device and iptables works above at network and trasport layer.

I hope I'm not hijacking this thread, but what method is recommended to 
firewall the
xen0?  Is it illogical to run a bridged network if you want to firewall xen0?
Sorry for my ignorance. I'm still learning the ropes.
Cheers
Bill

Well, you are right. You can use iptables in dom0 to secure domU
(xen0). But I think it's easier to secure domU with an iptables
ruleset inside domU, because setting a tightly secure domU inside is
more complicated and implies the activation of IP forwarding, with is
typical in a router/routed network environment.
http://wiki.xensource.com/xenwiki/XenNetworking#head-602e26cd4a03b992f3938fe1bea03fa0fea0ed8b

What I tried to say is that firewalling a domU with bridged networking
via iptables in dom0 is weird to me. Usually you use bridged
networking when domU is in the same network as dom0. Iptables usually
filters traffic at network and transport layer, although you can set
up restrictions for incoming and outgoing interfaces. You might want
to use iptables physdev modules or ebtables to filter at link layer,
but the last option is quite rare.

I think this matter can be subject for an alternate debate: the best
way to secure a domU. What do you think? I may have answered without
much thinking. Maybe because I'm used to see iptables running in
routers or hosts rather than in bridge devices, although I've seen
them using physdev iptables module.

Sorry if I confused this thread.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.