FIAIF and Xen

Jose Juan Montes email hidden
Mon Nov 30 16:03:20 CET 2009


We use FIAIF to secure our hosts, but we are having some issues with
FIAIF and Xen:

When Xen starts a new guest domain, it automatically adds an iptables
rule like the following one:

8281   638158 ACCEPT     all  --  *      *             PHYSDEV match --physdev-in main.eth0

Where "main.eth0" is the interface name that corresponds to a particular
virtual machine. This rule allows network packets to traverse the Dom0
host and reach the virtual machine.

These rules are added dynamically by Xen, and therefore, they are lost
if after that point we restart FIAIF.

We would like to set similar rules statically so we can safely restart
FIAIF. Currently we are adding generic rules that match the interface
network range. It works, but it's not ideal as some undesired packages
will go through.

Is there a way we can set those rules at FIAIF level?

Thank you very much for your help.

Best regards.


José Juan Montes
Área de Sistemas - Aitire

C./ Príncipe Nº 34, Principal, Oficina 3
36201 Vigo, Pontevedra
Teléfono: +34 986 163 050

More information about the fiaif mailing list