Xen project Mailing List

Re: [Xen-devel] Bridging firewall?

From: Nicholas Lee <nic-lists@xxxxxxxxxxxxxx>

Date: Mon, 24 Jan 2005 14:21:01 +1300

Delivery-date: Mon, 24 Jan 2005 01:24:47 +0000

List-id: List for Xen developers <xen-devel.lists.sourceforge.net>

Mail-followup-to: Matthieu PATOU <matxen@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxxx

On Mon, Jan 24, 2005 at 12:12:00AM +0100, Matthieu PATOU wrote: > On Fri, 21 Jan 2005 13:55:35 +0000 > Grzegorz Milos <gm281@xxxxxxxxxxxxxxxx> wrote: > > > > Is it possible with Xen to construct something like the following > > > scenario. > > > > > > Free/NetBSD (*) domU server running pf or Linux/iptables, acting as a > > > routing or bridging firewall for all the other domU guests? Further more > > > create virtual DMZ and internal services. > I've done it and it's running since two or three month at home and it seems to > work ... For the comments below I assume you are using Linux as your firewall OS. > Not sure see my setup: > i've two cards in dom0 :eth0 and eth1, eth1 is linked to my xdsl modem, eth0 > to > a switch for other physical machines, eth0 is also shared with other xenU > domains (thoses who are consciderated to be after the firewall). > br0 encapsulate eth0, one of the virtual network card of my firewall (the one > consciderated filtred) and other xenU virtual network card > br1 encapsulate eth1 and the other virtual network card So in a sense you've put your virtual servers on the same network as some of your internal machines. > My basic idea was not to configure eth1 at all, i thought that if the > interface > is not activated there is no chance of attacking xen0. > It tunrns that in order to have the packet directed to xenFirewall-input, i > must > do if config eth1 up. I've been thinking that the following similar method is possible, without resorting to giving physical device access to a domU. Basically the same as above, except I'll just have a virtual eth1. Put dom0 and a virtual NIC for the firewall (domU1-eth0 say) on br0/eth0. Put domU1-veth1, and all the other domUs on br, and all the other domUs on br1. Then setup domU1 as a bridging firewall. Admin domU1, either via the console from dom0 or setup a third private internal accessible from dom0 or a management VPN. So there are three bridges. Not sure how well it would perform, or whether the net/freebsd virtual NIC drives can hande this scenario. It seems workable though. Pf+altq, are by far much nicer than iptables. Nicholas ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.