FIAIF and Xen
Jose Juan Montes
Mon Nov 30 16:03:20 CET 2009
We use FIAIF to secure our hosts, but we are having some issues with
FIAIF and Xen:
When Xen starts a new guest domain, it automatically adds an iptables
rule like the following one:
8281 638158 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in main.eth0
Where "main.eth0" is the interface name that corresponds to a particular
virtual machine. This rule allows network packets to traverse the Dom0
host and reach the virtual machine.
These rules are added dynamically by Xen, and therefore, they are lost
if after that point we restart FIAIF.
We would like to set similar rules statically so we can safely restart
FIAIF. Currently we are adding generic rules that match the interface
network range. It works, but it's not ideal as some undesired packages
will go through.
Is there a way we can set those rules at FIAIF level?
Thank you very much for your help.
José Juan Montes
Área de Sistemas - Aitire
C./ Príncipe Nº 34, Principal, Oficina 3
36201 Vigo, Pontevedra
Teléfono: +34 986 163 050
More information about the fiaif