[Gllug] Logging in iptables and Debian install woes
Richard Jones
rich at annexia.org
Fri Apr 28 13:22:55 UTC 2006
On Fri, Apr 28, 2006 at 01:09:49PM +0000, Andy Smith wrote:
> On Fri, Apr 28, 2006 at 01:59:17PM +0100, Richard Jones wrote:
> > On Fri, Apr 28, 2006 at 11:31:15AM +0000, Andy Smith wrote:
> > > Incidentally has anyone got a simple explanation of how, with xen
> > > 3.x (bridged networking), to use iptables in dom0 for protecting
> > > domUs? In xen 2.x this was quite simple if you used named vifs; all
> > > traffic to/from a domU went in/out via the vif and you could use
> > > --physdev-in / --physdev-out to match it.
> >
> > Do you want to protect the domU's from each other, or do you want to
> > protect them from the outside world?
[...]
> If I have X domUs all controlled by me for partitioning of services
> then I don't really want to run iptables on each, seems more logical
> and efficient to do it once in dom0.
We haven't found a good way to do that. Luckily our domUs aren't
supposed to be adversarial. Nevertheless since IP numbers are
statically allocated by the dom0, we are doing some host-based
authentication on individual services using (for instance) pg_hba.conf
and hosts.{allow,deny}, on the domUs. Extending this to a firewall
running on the domUs would be the next step for us. The network
configuration on dom0 under Xen3 is so peculiar and so under-
documented that I personally wouldn't be confident we could get a
firewall going on dom0 which would protect the domUs from each other.
Rich.
--
Richard Jones, CTO Merjis Ltd.
Merjis - web marketing and technology - http://merjis.com
Team Notepad - intranets and extranets for business - http://team-notepad.com
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list