FIAIF and Xen
Jose Juan Montes
Tue Dec 1 13:04:55 CET 2009
Thank you very much :-).
> Fiaif does not support bridged firewalling, byt you should be albe
> to add specific lines thoug fiaif post start scripts. These scripts
> are executed once fiaif is started (or restarted), and can insert
> custom rules, which seems to fit your needs.
> Look for POST_START_SCRIPT in fiaif.conf.
> POST_START_SCRIPT="iptables -I1 FORWARD -m physdev --physdev-in
> main.eth0 -j ACCEPT"
> Anders Fugmann
> Jose Juan Montes wrote:
>> We use FIAIF to secure our hosts, but we are having some issues with
>> FIAIF and Xen:
>> When Xen starts a new guest domain, it automatically adds an iptables
>> rule like the following one:
>> 8281 638158 ACCEPT all -- * * 0.0.0.0/0
>> 0.0.0.0/0 PHYSDEV match --physdev-in main.eth0
>> Where "main.eth0" is the interface name that corresponds to a particular
>> virtual machine. This rule allows network packets to traverse the Dom0
>> host and reach the virtual machine.
>> These rules are added dynamically by Xen, and therefore, they are lost
>> if after that point we restart FIAIF.
>> We would like to set similar rules statically so we can safely restart
>> FIAIF. Currently we are adding generic rules that match the interface
>> network range. It works, but it's not ideal as some undesired packages
>> will go through.
>> Is there a way we can set those rules at FIAIF level?
>> Thank you very much for your help.
>> Best regards.
> fiaif mailing list
> fiaif at fiaif.net
José Juan Montes
Área de Sistemas - Aitire
C./ Príncipe Nº 34, Principal, Oficina 3
36201 Vigo, Pontevedra
Teléfono: +34 986 163 050
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the fiaif