>> >> Am I missing something? > > Yes. And your confusion only serves to underscore how difficult it is to > understand and firewall a bridged Dom0. > > The ursa zone is an artifact of how Shorewall defines zones and is basically > empty. 'ursa' is a superset of the the $FW zone but the complement of the > $FW zone in ursa never has an processes running in it and it never has any > IPv4 addresses. So protecting the ursa zone gives you nothing that isn't > already provided by protecting the $FW zone.
Hi Tom, Thanks for the info. Xen networking is very arcane for me :(. I will need some time to adjust the model I have in my head to account for your information ... hopefully it doesn't take too long. I am still a bit confused about the protection offered though. If there is no real firewall traffic going through the ursa zone then shouldn't the lines in policy disallow access from all, and the net zone in particular, to the firewall? all fw ACCEPT fw all ACCEPT Maybe the gap in my understanding is that ursa/firewall is protected by the dmz zone rules/policy? Maybe this line in /etc/interfaces is the part I am missing? i.e dmz == all doms including dom0. dmz xenbr0:vif+ routeback I can understand that everything on peth0 should be allowed in as it is essentially in promiscuous mode and needs to forward/broadcast all traffic through to the bridge. Then shorewall just needs to ensure that only legitimate traffic is allowed through the virtual interfaces. > > And your statement that Dom0 needs the most protection is also suspect. From > a firewall point of view, the DomUs are *outside of Dom0*. So they are > perfectly accessible without going through Dom0. > My understanding is that they are protected by the dmz zone rules running in Dom0? thanks for the help. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
