[Gllug] Logging in iptables and Debian install woes

Richard Jones rich at annexia.org
Fri Apr 28 13:22:55 UTC 2006

On Fri, Apr 28, 2006 at 01:09:49PM +0000, Andy Smith wrote:
> On Fri, Apr 28, 2006 at 01:59:17PM +0100, Richard Jones wrote:
> > On Fri, Apr 28, 2006 at 11:31:15AM +0000, Andy Smith wrote:
> > > Incidentally has anyone got a simple explanation of how, with xen
> > > 3.x (bridged networking), to use iptables in dom0 for protecting
> > > domUs?  In xen 2.x this was quite simple if you used named vifs; all
> > > traffic to/from a domU went in/out via the vif and you could use
> > > --physdev-in / --physdev-out to match it.
> > 
> > Do you want to protect the domU's from each other, or do you want to
> > protect them from the outside world?
> If I have X domUs all controlled by me for partitioning of services
> then I don't really want to run iptables on each, seems more logical
> and efficient to do it once in dom0.

We haven't found a good way to do that.  Luckily our domUs aren't
supposed to be adversarial.  Nevertheless since IP numbers are
statically allocated by the dom0, we are doing some host-based
authentication on individual services using (for instance) pg_hba.conf
and hosts.{allow,deny}, on the domUs.  Extending this to a firewall
running on the domUs would be the next step for us.  The network
configuration on dom0 under Xen3 is so peculiar and so under-
documented that I personally wouldn't be confident we could get a
firewall going on dom0 which would protect the domUs from each other.


Richard Jones, CTO Merjis Ltd.
Merjis - web marketing and technology - http://merjis.com
Team Notepad - intranets and extranets for business - http://team-notepad.com
Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list