Tim Verhoeven wrote on Thu, 17 Jul 2008 10:15:49 +0200:
For restricting traffic at the dom0 level I use ebtables (it's like
iptables but on a bridge level). It allows you to to basic filtering
between the real interfaces (from the dom0) and virtual interfaces
(from the domU's). This off
John Thomas wrote on Sun, 13 Jul 2008 07:44:14 -0700:
but I think everything is the same, as if you
have physical machines.
It's not, see my remark about forwarding ;-) Maybe you need forwarding on
your physical machines, I do not ;-)
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at
I took over a custom firewall script from my older Suse machines to my
Dom-Us and it works just fine. Doing the same for Dom-0 immediately killed
all traffic for the VMs. As there was no need before I had been dropping
everything on the FORWARD chain. After ACCEPTing all for FORWARD my VMs
are
Kai Schaetzl wrote:
What's best practice on Dom-0, what do you do? Can I restrict the
forwarding, in which way?
I use vmware, not XEN, but I think everything is the same, as if you
have physical machines.
I use shorewall everywhere and find it great.
http://shorewall.net
rpms: