Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Xen>
  3. Users
Securing the host's networking ?
dana.lux at gmail
May 16, 2005, 7:17 AM
Post #1 of 3 (614 views)
Permalink
Hey folks

I have installed Xen on a machine and everything works so amazingly
well. I can run ttylinux and some of those premade distribution
images.

My networking setup is very simple and is as follows:

Internet <---> eth0 <---> xen-br0 <----> Xen guests

I do have two questions:

First, I've noticed that on most bridging HOWTO's they state that eth0
should be set to 0.0.0.0, however I've noticed that on my machine it
is configured with an IP (via the distribution init scripts) and that
xen-br0 simply copies its IP. Is this normal ?

Also, I've noticed that when I do run a xen guest, it creates a
network port to do whatever it does. My concern is that I've noticed
I can reach this port from the outside world and I assume that may be
a security risk. So I was wondering are there iptable scripts to lock
down a xen machine ? or a bridging setup ?

I don't understand too much about this bridging networking, so I
wouldn't really know how to go about creating an iptables script for
the host.

Thanks!!

Dana

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: Securing the host's networking ? [ In reply to ]
sunny-ml at opencurve
May 16, 2005, 3:41 PM
Post #2 of 3 (605 views)
Permalink
On Monday 16 May 2005 10:17 am, Dana Lux wrote:

> I don't understand too much about this bridging networking, so I
> wouldn't really know how to go about creating an iptables script for
> the host.
>

I'm not too sure either, buuuut

I've noticed that when you do

iptables BLAH BLAH BLAH -i eth0

it doesn't work, while ....

iptables BLAH BLAH BLAH

works fine

*shrug*

Sunny Dubey

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Re: Securing the host's networking ? [ In reply to ]
d.rousseau at nnx
May 17, 2005, 12:11 AM
Post #3 of 3 (603 views)
Permalink
Le Mon, May 16, 2005 at 10:17:34AM -0400, Dana Lux [dana.lux@gmail.com] a écrit:
> Internet <---> eth0 <---> xen-br0 <----> Xen guests
>
> I do have two questions:
>
> First, I've noticed that on most bridging HOWTO's they state that eth0
> should be set to 0.0.0.0, however I've noticed that on my machine it
> is configured with an IP (via the distribution init scripts) and that
> xen-br0 simply copies its IP. Is this normal ?

Yes, that's how it is supposed to be (in a simple case like yours).
The matter is that an interface that once an interface is part of a
bridge it doesn't see traffic on ethX anymore but on brX, so in cases
described in the HOWTOs they just consider that ethX should as well have
0.0.0.0
But in the case of the xen scripts, they just copy the IP of ethX to brX
so as not to cut the network link.



Dom

--
Dominique Rousseau
Neuronnexion, Prestataire Internet & Intranet
57, route de Paris 80000 Amiens
tel: 03 22 71 61 90 - fax: 03 22 71 61 99 - http://www.neuronnexion.fr

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal