[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Re: Blocking DomU NetBios


  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Ligesh <myself@xxxxxxxxxx>
  • Date: Wed, 13 Feb 2008 17:31:41 +0530
  • Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
  • Delivery-date: Wed, 13 Feb 2008 03:36:43 -0800
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=private; d=ligesh.com; b=hEolx5ETY6KWDfiwaezO2JBJ8ItE08bvEUZM7z68zzGvQwmisb7hkro+owL+dynd;
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

I added these rules on the dom0, but they didn't have any effect whatsoever on 
the domUs. Shouldn't the domU network devices appear as physical devices on the 
dom0, and then the INPUT/OUTPUT chain just work?

 Any help would be greatly appreciated. A google search for "xen block netbios" 
is bringing this particular thread as the first result, so I guess it is not 
something that's common knowledge.

iptables -A OUTPUT -p tcp --dport 135:139 -j DROP
iptables -A OUTPUT -p udp --dport 135:139 -j DROP
iptables -A INPUT  -p tcp --dport 135:139 -j DROP
iptables -A INPUT  -p udp --dport 135:139  -j DROP
iptables -A FORWARD  -p tcp --dport 135:139 -j DROP
iptables -A FORWARD  -p udp --dport 135:139 -j DROP

Thanks.

On Tue, Feb 12, 2008 at 05:08:18PM +0530, Ligesh wrote:
> 
>  It has to be done outside of the domU. Modifying the domU is not an option 
> at all. That's a major effort if you have 30 domUs on a node already running, 
> and anyway, the idea is that domUs are run by hostile users, and all security 
> is implemented outside of it.
> 

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.