Mark Clarke wrote: > Hi all, > > I have read and implemented the configuration for Xen dom0 as described > in "Xen - Shorewall in Bridged Xen Dom0". I have one question though. > > It seems to me that there is no protection for Dom0 in the configuration > as described.Shouldn't the lines in /etc/shorewall/policy : > > ursa all ACCEPT > net ursa ACCEPT > > rather be > > ursa all ACCEPT > net ursa REJECT INFO > > And then allow ports in in /etc/shorewall/rules -- The only port I can > see useful for Dom0 is port 22 for remote maintenance? > E.G. > > ACCEPT net xen ssh #where xen is enbr0:vif0.0 > > > At least in my setup for servers I have a minimal Dom0 and just use it > to run and control the virtual machines. It needs the most protection as > breaching Dom0 will result in all virtual machines being vulnerable. > > Am I missing something?
Yes. And your confusion only serves to underscore how difficult it is to understand and firewall a bridged Dom0. The ursa zone is an artifact of how Shorewall defines zones and is basically empty. 'ursa' is a superset of the the $FW zone but the complement of the $FW zone in ursa never has an processes running in it and it never has any IPv4 addresses. So protecting the ursa zone gives you nothing that isn't already provided by protecting the $FW zone. And your statement that Dom0 needs the most protection is also suspect. From a firewall point of view, the DomUs are *outside of Dom0*. So they are perfectly accessible without going through Dom0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
