FIAIF and Xen

postmaster email hidden
Mon Nov 30 20:19:19 CET 2009


Fiaif does not support bridged firewalling, byt you should be albe
to add specific lines thoug fiaif post start scripts. These scripts
are executed once fiaif is started (or restarted), and can insert
custom rules, which seems to fit your needs.

Look for POST_START_SCRIPT in fiaif.conf.

Example:
POST_START_SCRIPT[0]="iptables -I1 FORWARD -m physdev --physdev-in
main.eth0 -j ACCEPT"

(untested)

Regards
Anders Fugmann

Jose Juan Montes wrote:
> Hello.
> 
> We use FIAIF to secure our hosts, but we are having some issues with
> FIAIF and Xen:
> 
> When Xen starts a new guest domain, it automatically adds an iptables
> rule like the following one:
> 
> 8281   638158 ACCEPT     all  --  *      *       0.0.0.0/0           
> 0.0.0.0/0           PHYSDEV match --physdev-in main.eth0
> 
> Where "main.eth0" is the interface name that corresponds to a particular
> virtual machine. This rule allows network packets to traverse the Dom0
> host and reach the virtual machine.
> 
> These rules are added dynamically by Xen, and therefore, they are lost
> if after that point we restart FIAIF.
> 
> We would like to set similar rules statically so we can safely restart
> FIAIF. Currently we are adding generic rules that match the interface
> network range. It works, but it's not ideal as some undesired packages
> will go through.
> 
> Is there a way we can set those rules at FIAIF level?
> 
> Thank you very much for your help.
> 
> Best regards.
> 



More information about the fiaif mailing list