[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewall in a guest domain?



Mike Hoesing wrote:
Anyone want to share a step-by-step howto for approach 4 below?

* Dedicate a physical device to a "firewall domain" and have it filter on that interface for all the other domains.

I've got this working, though not to my liking yet. To duplicate my setup:

Build or otherwise obtain a Xen0 kernel with the modules for your NIC(s). Use 'lspci' to find the PCI addresses for the devices you want to use in the DomU. Update the Xen entry for Xen0 in your GRUB config; mine looks like:

kernel /boot/xen-2.0.6.gz dom0_mem=131072 physdev_dom0_hide='(01:04.0)(00:04.0)(01:0a.0)'

Create a Xen guest definition file. **Use the _Xen0_ kernel as the kernel for the guest**. Add the PCI devices you hid from the host kernel to the file. My definition looks like:

pci = [ '01,04,0', '00,04,0', '01,0a,0' ]

Copy the /lib/modules data from your Xen0 kernel into the filesystem of the guest. Reboot to put the GRUB changes into effect, then start your guest. Install and configure your firewalling software, and go. I use my guest kernel as my DHCP server/gateway/firewall/router for the rest of my home network, including the host kernel; I just treat the eth0 within the guest as an interface to be NATed.

My issues so far are 1) extreme instability, which, for now, I'm assuming are caused by the heat in my apartment and 2) the wireless NIC I stuck in the guest is up and running according to iwconfig and ifconfig, but I can't get see the signal from a client. There are known issues using a WiFi card behind a bridge, but since it's on the other side in my setup, I'm pretty puzzled. More as I figure stuff out...

-sten

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.