Tim Verhoeven wrote on Thu, 17 Jul 2008 10:15:49 +0200: > For restricting traffic at the dom0 level I use ebtables (it's like > iptables but on a bridge level). It allows you to to basic filtering > between the real interfaces (from the dom0) and virtual interfaces > (from the domU's). This off course works because Xen is using bridges > to link the real interfaces with the virtual ones. Thanks for the answer :-) I know of ebtables, but not too much. As I understand it I don't really need it if I run iptables on both host and guests. What I'm wondering about is that xend adds a forwarding rule each time a dom-U is started. Like this: Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif1.0 ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif2.0 ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif3.0 However, if I flush that chain I do not see any difference, networking for the dom-U works like before. And, on the other hand, if I attempt to flush all chains with the exception of this single chain (to keep it like Xen wanted it to be, just to be sure) I get an error "too many links" or so. Which means if I want to establish my own rules and make sure that all old rules get reset - with the exception of the forward chain - I can't. At least I haven't found another way to achieve that. Is there? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com