Actually, firewalling the dom0 *can* impact domUs, depending on how you do it. You can put firewall rules onto a physical interface that affect all of the traffic that goes through that interface, whether the destination is the dom0 or not. In fact, if you put iptables rules in place on your dom0 that limit access from outside to port 22 on the dom0 IP, that is going to eliminate all traffic except the traffic destined for dom0. You need to construct your rules in such a way as to make sure traffic can flow between dom0 and outside and domUs and outside.
-Nick
>>> On 2009/09/08 at 08:22, "Ian Tobin" <itobin@xxxxxxxxxxxxx> wrote:
But firewalling Dom 0 doesn't affect the VMs?
And also if you did that you might not want to block certain ports as it could be different on every VM.
BTW what is the best way of firewalling a Dom 0 built from the lenny debs?
Thanks
Ian
-----Original Message----- From: James Harper [mailto:james.harper@xxxxxxxxxxxxxxxx] Sent: 08 September 2009 14:03 To: Ian Tobin; Fajar A. Nugraha Cc: xen-users@xxxxxxxxxxxxxxxxxxx Subject: RE: [Xen-users] latest GPLPV drivers 0.10.0.86 and microsoft.com
> > In the end this turned out to be some worm getting onto the VPS before > we had chance to enable the firewall so now we are building the images > offline, enabling the firewall and putting them on the net. > > Very strange how quickly it got infected but lessons learned. > > Big thanks for James and Fajar for the advice. > > On another note we cant put a perimeter firewall in place as the servers > are on the internet in the datacenter. >
You could firewall in Dom0 though.
Here (http://isc.sans.org/diary.html?storyid=7093&rss) is another good reason why you should firewall early and firewall often :)
James
|
<br><hr>
This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR.
|