[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewall settings for domUs in Xen!

On Fri, Mar 5, 2010 at 6:43 PM, Jan Muhammad <janmuhd@xxxxxxxxx> wrote:
> Hi,
> I've setup debian based Xen (dom0) with two domUs of the same OS flavour; I'm 
> using bridging and static IPs for my domUs.
> I wonder either the firewall settings for dom0 are enough to protect domUs

bridged traffic is also filtered by dom0's iptables on default setup,
but the default rule is "allow all traffic that belongs to domU's
interface". The rule is like this

-A FORWARD -m state --state RELATED,ESTABLISHED -m physdev
--physdev-out vif2.0 -j ACCEPT
-A FORWARD -m physdev  --physdev-in vif2.0 -j ACCEPT

I highly suggest you leave it as it is, as filtering domUs traffic on
domU can lead to a complex setup.

> or do I need to setup separate firewall rules for domUs individually.

That would be best. When setting up bridged networking, it's easiest
to think of dom0 like a switch. Think of domU like any other physical
machine on the network. Do what you usually do to setup firewall on
physical machines.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.