[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewall settings for domUs in Xen!

To: Jan Muhammad <janmuhd@xxxxxxxxx>
From: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
Date: Sat, 6 Mar 2010 17:00:01 +0700
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Sat, 06 Mar 2010 02:01:30 -0800
List-id: Xen user discussion <xen-users.lists.xensource.com>

On Fri, Mar 5, 2010 at 6:43 PM, Jan Muhammad <janmuhd@xxxxxxxxx> wrote:
>
> Hi,
>
> I've setup debian based Xen (dom0) with two domUs of the same OS flavour; I'm 
> using bridging and static IPs for my domUs.
> I wonder either the firewall settings for dom0 are enough to protect domUs

bridged traffic is also filtered by dom0's iptables on default setup,
but the default rule is "allow all traffic that belongs to domU's
interface". The rule is like this

-A FORWARD -m state --state RELATED,ESTABLISHED -m physdev
--physdev-out vif2.0 -j ACCEPT
-A FORWARD -m physdev  --physdev-in vif2.0 -j ACCEPT

I highly suggest you leave it as it is, as filtering domUs traffic on
domU can lead to a complex setup.

> or do I need to setup separate firewall rules for domUs individually.

That would be best. When setting up bridged networking, it's easiest
to think of dom0 like a switch. Think of domU like any other physical
machine on the network. Do what you usually do to setup firewall on
physical machines.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

References:
- [Xen-users] Firewall settings for domUs in Xen!
  - From: Jan Muhammad

Prev by Date: [Xen-devel] unstable 4.0 config file/ build error
Next by Date: Re: [Xen-users] vcpus and vcpu_avail
Previous by thread: [Xen-users] Firewall settings for domUs in Xen!
Next by thread: [Xen-users] How to do vlan with xen 3.3?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.