|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Ideal(istic) Xen firewall design
Hi Marcus, Marcus Brown wrote: >Hi all, > >I've managed to setup a Xen firewall/server host. >I used a design similar to one posted previously, >except that my internal interfaces aren't bridged. >It looks something like this (in my head;)): > >------------------------------------------------------------------------------------------- >CURRENT SETUP >============= > ______________________________________ > | dom0 | > | __________________ | > | | Firewall | | >Local eth0 =|========| (Shorewall) |==========|= eth1 Internet > | |________________| | > | vif2.0 | | vif3.0 | > | __________|___ __|____________ | > | | Web Server | | Mail Server | | > | | (Apache2) | | (Courier) | | > | |____________| |_____________| | > |____________________________________| > > DETAILS: > - Xen 2.0.7 stable > - dom0: > - 128MB RAM > - Debian sid (sid has ext2resize) > - boot and root on plain ext3 (no raid or lvm) > - striped swap on 2 drives (64MB + 64MB) > - all other filesystems on raid0+lvm > - eth0 and eth1 are hidden > - the domUs are autoloaded in order at boot time > using numbered links in /etc/xen/auto: > 01-Firewall --> ../Firewall > 02-WebServer --> ../WebServer > 03-MailServer ..> ../MailServer > - Firewall (!dom0) > - priviliged driver domain using eth0 and eth1 > - exports backend network interfaces to domUs > - WebServer (domU) > - 80MB RAM, 64MB swap > - MailServer (domU) > - 64MB RAM, 64MB swap > > Before you get over excited about hardware, the host is a > P3/650 with 640MB RAM on an Asus P2B-VM with 2 x 3c905 nics, > 2 x 4.3GB IDE, 1 x 6.4GB IDE, 1 x CD/DVD, and 1 x USB2.0 PCI. > > PROBLEMS: > - As dom0 has no network access, so I'm unable to update the > system clock using ntpdate. With the clocks of the domUs > being tied to the dom0 clock it is not possible to have > the time automatically updated. > > There was a discussion a few weeks ago about setting the time in domUs. Quoting Ian and Franck from the thread "[Xen-users] Setting the date not working in xen": "echo 1 > /proc/sys/xen/independent_wallclock > ntpdate ntp0.oleane.net independent_wallclock=1 on the kernel command line should fix this too." As far as I understand, it is not what the xen architects had in mind, but it seems to work. > - There are no hotplug events associated with the backend > network for the driver domain, so to bring the vif interfaces > up in the Firewall a 1 minute cron script checks vif2.0 & 3.0. > Crude. > > No idea here. Doesn't iptables allow to insert rules for interfaces that aren't running yet? > - The domUs can not be restarted at will as the vifs created > in the Firewall are assigned new numbers. > > Let me see if I understand you, "you mean, that after an xm shutdown + xm create your vif is no longer vif2.0 but for example vif4.0?". In this case, try to append another option in the vif line in your domains config file: vif = [ 'mac=aa:00:00:56:0e:c4, bridge=xen-br0, vifname=e.g.websv' ] This way your domU's vif will always have the same name. There are some mroe interesting options to be found in /usr/lib/python/xen/xm/create.py . I liked your ASCII drawings ;-). Hope I could help you a little. Regards, Andreas >------------------------------------------------------------------------------------------- >POSSIBLE SOLUTIONS >================== >To get around the problems above, would I be better off with dom0 >handling some/all bridging and networks (and ntpdate)? A few posts in the >list have suggested something like this, but I can't see how it's done. >I can think of a few possibilities, but so far have been unable to >implement any of them (hence this verbose and messy post;)). > >Option A >======== > ________________________________________ > | ____________________ | > | | Firewall | | > | | (Shorewall) | | > | |__________________| | > | | | | | > | ______________ | | | _______________ | > | | Web Server | | | | | Mail Server | | > | | (Apache2) | | | | | (Courier) | | > | |____________| | | | |_____________| | > | | | | | | | > | | | | | | | > | ___|____|_|_|____|___ | > | | | | >Local eth0 =|========| dom0 |=========|= eth1 Internet > |________|___________________|_________| > > > DETAILS: > - dom0 > - eth0 and eth1 are associated with separate bridges which > are exported to the Firewall. > - backend network interfaces are exported to the domUs and > associated with an internal DMZ bridge (also exported to > the Firewall). > >Option B >======== > ________________________________________ > | ____________________ | > | | Firewall | | > | | (Shorewall) |==========|= eth1 Internet > | |__________________| | > | | | | > | ______________ | | _______________ | > | | Web Server | | | | Mail Server | | > | | (Apache2) | | | | (Courier) | | > | |____________| | | |_____________| | > | | | | | | > | | | | | | > | ___|____|___|____|___ | > | | | | >Local eth0 =|========| dom0 | | > |________|___________________|_________| > > DETAILS: > - dom0 exports a bridge with eth0 to Firewall, and > a bridge with network backends to the domUs > >Option C >======== > ________________________________________ > | ____________________ | > | | Firewall | | >Local eth0 =|========| (Shorewall) |==========|= eth1 Internet > | |__________________| | > | | | > | ______________ | _______________ | > | | Web Server | | | Mail Server | | > | | (Apache2) | | | (Courier) | | > | |____________| | |_____________| | > | | | | | > | | | | | > | ___|______|______|___ | > | | | | > | | dom0 | | > |________|___________________|_________| > > > DETAILS: > - dom0 exports a network backend which is bridged > to domUs as they are brought up > >------------------------------------------------------------------------------------------- > >So far, Option C looks like a possibility ... >however, as with this email, I got stuck :) > >Thanks for reading the preamble, now on to my question: > >QUESTION: >I think I've explained what I want ... how do I do it? > >Marcus. > > >_______________________________________________ >Xen-users mailing list >Xen-users@xxxxxxxxxxxxxxxxxxx >http://lists.xensource.com/xen-users > > > _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |