FIAIF and Xen

Jose Juan Montes email hidden
Tue Dec 1 13:04:55 CET 2009


Thank you very much :-).
> Fiaif does not support bridged firewalling, byt you should be albe
> to add specific lines thoug fiaif post start scripts. These scripts
> are executed once fiaif is started (or restarted), and can insert
> custom rules, which seems to fit your needs.
>
> Look for POST_START_SCRIPT in fiaif.conf.
>
> Example:
> POST_START_SCRIPT[0]="iptables -I1 FORWARD -m physdev --physdev-in
> main.eth0 -j ACCEPT"
>
> (untested)
>
> Regards
> Anders Fugmann
>
> Jose Juan Montes wrote:
>   
>> Hello.
>>
>> We use FIAIF to secure our hosts, but we are having some issues with
>> FIAIF and Xen:
>>
>> When Xen starts a new guest domain, it automatically adds an iptables
>> rule like the following one:
>>
>> 8281   638158 ACCEPT     all  --  *      *       0.0.0.0/0           
>> 0.0.0.0/0           PHYSDEV match --physdev-in main.eth0
>>
>> Where "main.eth0" is the interface name that corresponds to a particular
>> virtual machine. This rule allows network packets to traverse the Dom0
>> host and reach the virtual machine.
>>
>> These rules are added dynamically by Xen, and therefore, they are lost
>> if after that point we restart FIAIF.
>>
>> We would like to set similar rules statically so we can safely restart
>> FIAIF. Currently we are adding generic rules that match the interface
>> network range. It works, but it's not ideal as some undesired packages
>> will go through.
>>
>> Is there a way we can set those rules at FIAIF level?
>>
>> Thank you very much for your help.
>>
>> Best regards.
>>
>>     
>
> _______________________________________________
> fiaif mailing list
> fiaif at fiaif.net
> https://www.fiaif.net/mailman/listinfo/fiaif
>   


-- 

José Juan Montes
Área de Sistemas - Aitire

C./ Príncipe Nº 34, Principal, Oficina 3
36201 Vigo, Pontevedra
Teléfono: +34 986 163 050
www.aitire.es


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.fiaif.net/pipermail/fiaif/attachments/20091201/c2719075/attachment.htm>


More information about the fiaif mailing list