[CentOS-virt] firewall best practice on dom-0

Tim Verhoeven tim.verhoeven.be at gmail.com
Thu Jul 17 08:15:49 UTC 2008

On Sun, Jul 13, 2008 at 2:19 PM, Kai Schaetzl <maillists at conactive.com> wrote:
> I took over a custom firewall script from my older Suse machines to my
> Dom-Us and it works just fine. Doing the same for Dom-0 immediately killed
> all traffic for the VMs. As there was no need before I had been dropping
> everything on the FORWARD chain. After ACCEPTing all for FORWARD my VMs
> are happy again.
> What's best practice on Dom-0, what do you do? Can I restrict the
> forwarding, in which way?

For restricting traffic at the dom0 level I use ebtables (it's like
iptables but on a bridge level). It allows you to to basic filtering
between the real interfaces (from the dom0) and virtual interfaces
(from the domU's). This off course works because Xen is using bridges
to link the real interfaces with the virtual ones.


Tim Verhoeven - tim.verhoeven.be at gmail.com - 0479 / 88 11 83

Hoping the problem magically goes away by ignoring it is the
"microsoft approach to programming" and should never be allowed.
(Linus Torvalds)

More information about the CentOS-virt mailing list