[Gllug] Xen and iptables problem

Bruce Richardson itsbruce at workshy.org
Fri Jan 5 13:38:47 UTC 2007


On Fri, Jan 05, 2007 at 12:10:19PM +0000, - wrote:
> For those unfamiliar with Xen, it makes networking insanely (and
> unnecessarily) complicated, which is why it's hitting both the FORWARD
> and INPUT/OUTPUT chains. See
> http://wiki.xensource.com/xenwiki/XenNetworking for mroe details.

It isn't insanely complicated if you tread dom0 purely as an
administrative domain and do any firewalling from within user domains.
That not only simplifies things, it makes it more secure.  Yes, Xen uses
bridges to organise its networking but these are presented
to domU as simple ethernet interfaces, so if you do your iptables work
in there then you never need to worry about packets taking strange paths
through the netfilter tables.  Unless, of course, you explicity decide
to make life complicated for yourself (e.g. putting in firewalling
bridges).

-- 
Bruce

I object to intellect without discipline.  I object to power without
constructive purpose. -- Spock
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20070105/797d6141/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list