[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] Xen 3.4.2 networking help

Jonathan Tripathy wrote:

If you are refering to the OUTPUT chain of the Dom0 itself, surely you wouldn't use physdev at all? Wouldn't you just use "iptables -A OUTPUT -o ethx ...."?

Dunno about iptables specifics - I only use Shorewall and I know it's a limitation. But isn't "-o ethx" a device match ? If there was a way around the limitation, I'm sure Tom Eastep would have figured it out.

In any case, I don't block by interface on the Dom0's OUTPUT chain. No real need to when the INPUT chain is protected with "iptables -A INPUT -i ..." I only ever use physdev on the FORWARD chain, which works for both incoming and outgoing traffic.

Well for me input restrictions are sufficient on Dom0 since no-one else is running stuff on Dom0. On my DomUs I also block outbound by default so that "less security minded" users have less scope to cause problems and/or there is less scope if a machine gets compromised.

Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.