[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Ideal(istic) Xen firewall design

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Marcus Brown <marcusbrutus@xxxxxxxxxxxxxxxx>
Date: Thu, 11 Aug 2005 13:40:34 +1000
Delivery-date: Thu, 11 Aug 2005 03:38:57 +0000
List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi all,

I've managed to setup a Xen firewall/server host.
I used a design similar to one posted previously,
except that my internal interfaces aren't bridged.
It looks something like this (in my head;)):

-------------------------------------------------------------------------------------------
CURRENT SETUP
=============
            ______________________________________
            |              dom0                  |
            |        __________________          |
            |        |   Firewall     |          |
Local eth0 =|========|  (Shorewall)   |==========|= eth1 Internet
            |        |________________|          |
            |    vif2.0 |          | vif3.0      |
            | __________|___     __|____________ |
            | | Web Server |     | Mail Server | |
            | |  (Apache2) |     |  (Courier)  | |
            | |____________|     |_____________| |
            |____________________________________|

    DETAILS:
     - Xen 2.0.7 stable
     - dom0:
        - 128MB RAM
        - Debian sid (sid has ext2resize)
        - boot and root on plain ext3 (no raid or lvm)
        - striped swap on 2 drives (64MB + 64MB)
        - all other filesystems on raid0+lvm
        - eth0 and eth1 are hidden
        - the domUs are autoloaded in order at boot time
            using numbered links in /etc/xen/auto:
                01-Firewall --> ../Firewall
                02-WebServer --> ../WebServer
                03-MailServer ..> ../MailServer         
     - Firewall (!dom0)
        - priviliged driver domain using eth0 and eth1
        - exports backend network interfaces to domUs
     - WebServer (domU)
        - 80MB RAM, 64MB swap
     - MailServer (domU)
        - 64MB RAM, 64MB swap
   
    Before you get over excited about hardware, the host is a
    P3/650 with 640MB RAM on an Asus P2B-VM with 2 x 3c905 nics,
    2 x 4.3GB IDE, 1 x 6.4GB IDE, 1 x CD/DVD, and 1 x USB2.0 PCI.
   
    PROBLEMS:
     - As dom0 has no network access, so I'm unable to update the
        system clock using ntpdate. With the clocks of the domUs
        being tied to the dom0 clock it is not possible to have
        the time automatically updated.
     - There are no hotplug events associated with the backend
        network for the driver domain, so to bring the vif interfaces
        up in the Firewall a 1 minute cron script checks vif2.0 & 3.0.
        Crude.
     - The domUs can not be restarted at will as the vifs created
        in the Firewall are assigned new numbers.

-------------------------------------------------------------------------------------------
POSSIBLE SOLUTIONS
==================
To get around the problems above, would I be better off with dom0
handling some/all bridging and networks (and ntpdate)? A few posts in the
list have suggested something like this, but I can't see how it's done.
I can think of a few possibilities, but so far have been unable to
implement any of them (hence this verbose and messy post;)).

Option A
========
            ________________________________________
            |        ____________________          |
            |        |    Firewall      |          |
            |        |   (Shorewall)    |          |
            |        |__________________|          |
            |                | | |                 |
            | ______________ | | | _______________ |
            | | Web Server | | | | | Mail Server | |
            | |  (Apache2) | | | | |  (Courier)  | |
            | |____________| | | | |_____________| |
            |           |    | | |    |            |
            |           |    | | |    |            |
            |        ___|____|_|_|____|___         |
            |        |                   |         |
Local eth0 =|========|       dom0        |=========|= eth1 Internet
            |________|___________________|_________|


    DETAILS:
    - dom0
       - eth0 and eth1 are associated with separate bridges which
          are exported to the Firewall.
       - backend network interfaces are exported to the domUs and
          associated with an internal DMZ bridge (also exported to
          the Firewall).

Option B
========
            ________________________________________
            |        ____________________          |
            |        |    Firewall      |          |
            |        |   (Shorewall)    |==========|= eth1 Internet
            |        |__________________|          |
            |                |   |                 |
            | ______________ |   | _______________ |
            | | Web Server | |   | | Mail Server | |
            | |  (Apache2) | |   | |  (Courier)  | |
            | |____________| |   | |_____________| |
            |           |    |   |    |            |
            |           |    |   |    |            |
            |        ___|____|___|____|___         |
            |        |                   |         |
Local eth0 =|========|       dom0        |         |
            |________|___________________|_________|

    DETAILS:
       - dom0 exports a bridge with eth0 to Firewall, and
          a bridge with network backends to the domUs

Option C
========
            ________________________________________
            |        ____________________          |
            |        |    Firewall      |          |
Local eth0 =|========|   (Shorewall)    |==========|= eth1 Internet
            |        |__________________|          |
            |                  |                   |
            | ______________   |   _______________ |
            | | Web Server |   |   | Mail Server | |
            | |  (Apache2) |   |   |  (Courier)  | |
            | |____________|   |   |_____________| |
            |           |      |      |            |
            |           |      |      |            |
            |        ___|______|______|___         |
            |        |                   |         |
                 |        |       dom0        |         |
            |________|___________________|_________|


    DETAILS:
       - dom0 exports a network backend which is bridged
          to domUs as they are brought up

-------------------------------------------------------------------------------------------

So far, Option C looks like a possibility ...
however, as with this email, I got stuck :)

Thanks for reading the preamble, now on to my question:

QUESTION:
I think I've explained what I want ... how do I do it?

Marcus.


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- Re: [Xen-users] Ideal(istic) Xen firewall design
  - From: Andreas Seuss

Prev by Date: Re: [Xen-users] could not load modules.dep stops network from working?
Next by Date: Re: [Xen-users] could not load modules.dep stops network from working?
Previous by thread: [Xen-users] PXE-booting Xen
Next by thread: Re: [Xen-users] Ideal(istic) Xen firewall design
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.