|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Ideal(istic) Xen firewall design
Hi Dirk,
stuffed that last one up, still getting used to Thunderbird ;)
2nd attempt:
Hi Dirk,
OOPS, stuffed up the last msg, still getting used to Thunderbird.
2nd attempt :)
Dirk H. Schulz wrote:
> Marcus Brown schrieb:
>
>> Option C-v3
>>
>> ===========
>> Internet
>> |
>> eth1
>> ______________________|_______________________
>> | _____________|_______________ |
>> | | Firewall | |
>> Local eth0 =|========| (Shorewall) |=======|= eth2 DMZ
>> (optional)
>> | |___________________________| |
>> | eth4 | eth5 |
>> | ______________ | eth3 | _______________ |
>> | | Web Server | | | | | iPaq Server | |
>> | | (Apache2) | | | | | (Bluetooth) |=|= USB Host #1
>> | |____________| | | | |_____________| | (for BT Dongle)
>> | eth0 \ | | | / eth0 |
>> | _______________\| | |/ |
>> | | Mail Server | | | | |
>> | | (Courier) | | | | |
>> | |_____________| | | | |
>> | eth0 \| | | |
>> | | | | |
>> | br1 | br2 |
>> | ! br0 ! |
>> | _____________|_____________ |
>> | | | |
>> | | dom0 | |
>> |________|_________________________|_________|
>>
>>
>> Thanks for the hint, I was just compiling vlan support into dom0 when
>> your message arrived, so you've probably saved me from wandering
>> further into a pointless excercise! :)
>> I'll start playing with dummies instead! lol
>>
>>
> I will soon try something similar, so I try following the thread. :-)
>
> What exactly is a dummy interface (I have found some hints on its existence,
> but nothing detailed)? And can I configure it like a real interface in
> /etc/network/interfaces with "iface dummyX inet static ..."?
>
Linux Kernel v2.6.11.12-xen0 Configuration
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââ Dummy net driver support
âââââââââââââââââââââââââââââââââââââ
â CONFIG_DUMMY:
â
â
â
â This is essentially a bit-bucket device (i.e. traffic you send to
â
â this device is consigned into oblivion) with a configurable IP
â
â address. It is most commonly used in order to make your currently
â
â inactive SLIP address seem like a real address for local programs.
â
â If you use SLIP or PPP, you might want to say Y here. Since this
â
â thing often comes in handy, the default is Y. It won't enlarge your
â
â kernel either. What a deal. Read about it in the Network
â
â Administrator's Guide, available from
â
â <http://www.tldp.org/docs.html#guide>.
â
â
â
â To compile this driver as a module, choose M here: the module
â
â will be called dummy. If you want to use more than one dummy
â
â device at a time, you need to compile this driver as a module.
â
â Instead of 'dummy', the devices will then be called 'dummy0',
â
â 'dummy1' etc.
â
â
â
â Symbol: DUMMY [=m]
â
â Prompt: Dummy net driver support
â
â Defined at drivers/net/Kconfig:24
â
â Depends on: NETDEVICES
â
â Location:
â
â -> Device Drivers
â
â -> Networking support
â
â -> Network device support (NETDEVICES [=y])
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
eg:
/etc/modules
dummy -o dummy0
dummy -o dummy1
dummy -o dummy2
...etc
/etc/network/interfaces
auto dummy0
iface dummy0 inet static
address 192.168.254.1
netmask 255.255.255.248
network 192.168.254.0
broadcast 192.168.254.7
gateway 192.168.254.6
auto dummy1
iface dummy1 inet static
address 192.168.254.9
netmask 255.255.255.248
network 192.168.254.8
broadcast 192.168.254.15
post-up brctl addbr br1 || true
post-up brctl addif br1 dummy1 || true
# post-up ifconfig br1 192.168.254.33/28
post-down brctl delif br1 dummy1
auto dummy2
iface dummy2 inet static
address 192.168.254.17
netmask 255.255.255.248
network 192.168.254.16
broadcast 192.168.254.23
post-up brctl addbr br2 || true
post-up brctl addif br2 dummy2 || true
# post-up ifconfig br2 192.168.254.33/28
post-down brctl delif br2 dummy2
...etc
my /etc/xen/Firewall now contains:
nics=11
vif = [ 'mac=aa:00:00:00:22:01, bridge=br10',
'mac=aa:00:00:25:40:01, bridge=xen-br0',
'mac=aa:00:00:25:40:09, bridge=br1',
'mac=aa:00:00:25:40:17, bridge=br2',
'mac=aa:00:00:25:40:25, bridge=br3',
'mac=aa:00:00:25:40:33, bridge=br4',
'mac=aa:00:00:25:40:49, bridge=br5',
'mac=aa:00:00:25:40:45, bridge=br6',
'mac=aa:00:00:25:40:73, bridge=br7',
'mac=aa:00:00:25:40:81, bridge=br8',
'mac=aa:00:00:25:40:97, bridge=br9' ]
(br10 is currently just a place holder, as I'm missing a 3rd network
card atm)
> Regarding your drawing: Is the Firewall a xen guest system? And if yes, how
> did you transfer the real interfaces to it? If no, how is the firewall
> separated from dom0?
>
The Firewall is a privileged domain (dom1 if you like:) ).
The PCI network cards are hidden from dom0,
and exported to the Firewall using it's config script.
The configs look like this:
Linux Kernel v2.6.11.12-xen0 Configuration
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââââââââ XEN
âââââââââââââââââââââââââââââââââââââââââââââââ
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
â â [*] Privileged Guest (domain 0)
â â
â â --- Physical device access
â â
â â [*] Block-device backend driver
â â
â â [*] Network-device backend driver
â â
â â [*] Block-device frontend driver
â â
â â [*] Network-device frontend driver
â â
â â [ ] Pipelined transmitter (DANGEROUS)
â â
â â [*] Scrub memory before freeing it to Xen
â â
â â Processor Type (X86) --->
â â
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Linux Kernel v2.6.11.12-Firewall Configuration
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââââââââ XEN
âââââââââââââââââââââââââââââââââââââââââââââââ
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
â â [*] Privileged Guest (domain 0)
â â
â â --- Physical device access
â â
â â [*] Block-device backend driver
â â
â â [*] Network-device backend driver
â â
â â [*] Block-device frontend driver
â â
â â [*] Network-device frontend driver
â â
â â [ ] Pipelined transmitter (DANGEROUS)
â â
â â [*] Scrub memory before freeing it to Xen
â â
â â Processor Type (X86) --->
â â
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Linux Kernel v2.6.11.12-xenU Configuration
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââââââââ XEN
âââââââââââââââââââââââââââââââââââââââââââââââ
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
â â [ ] Privileged Guest (domain 0)
â â
â â [ ] Physical device access
â â
â â [*] Block-device frontend driver
â â
â â [*] Network-device frontend driver
â â
â â [ ] Pipelined transmitter (DANGEROUS)
â â
â â [*] Scrub memory before freeing it to Xen
â â
â â Processor Type (X86) --->
â â
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
dom0 /boot/grub/menu.lst includes:
title Debian Xen Stable no-initrd 2.0.7 2.6.11.12-xen0
root (hd0,0)
kernel /xen-2.0.7.gz root=/dev/hda3 ro dom0_mem=131072
physdev_dom0_hide=(00:0a.0)(00:0b.0)(00:09.0)(00:09.1)(00:09.2)(00:09.3)(00:06.0)
module /vmlinuz-2.6.11.12-xen0 root=/dev/hda3 ro console=tty0
savedefault
boot
/etc/xen/Firewall includes
pci = ['00,0b,0', '00,0a,0' ]
So, in Firewall domain, lspci now shows:
0000:00:0a.0 Ethernet controller: 3Com Corporation 3c905B 100BaseTX
[Cyclone] (rev 30)
0000:00:0b.0 Ethernet controller: 3Com Corporation 3c905B 100BaseTX
[Cyclone] (rev 64)
> I am afraid to come up with unqualified questions, but I just started digging
> into complex networking schemes.
I guess someone will tell you if your question isn't relevant to the list.
I've got a coloured version (hey it's therapy!) with more domUs,
but here's an ASCII version of the current design:
OPTION C-v3.1
=============
Internet
|
eth1
________________________________________|__________________________________________
|
________________________________|__________________________________ |
| |
| |
| | Firewall
| |
Local eth0 =|=======| (dom1)
|=======|= eth2 DMZ
|
|_________________________________________________________________| |
(optional)
| | | |
|
| eth3 eth4 eth5
|
| | ________________ | ______________ |
_______________ |
| | | Proxy Server | | | Web Server | | | iPaq
Server | |
| | | (domU1) | | | (domU2) | | | (dom2)
|========|= USB Host #1
| | |______________| | |____________| |
|_____________| | (for BT Dongle)
| | / | / | /
| ( and cradle )
| | / | / _______________ | /
|
| |/ |/ | Mail Server | |/
|
| | | | (domU3) | |
|
| | | |_____________| |
|
| | | / |
|
| | | / |
|
| | |/ |
|
| xen-br0 br1 br1
|
| | ! !
|
|
___|_______________________________________________________________ |
| |
| |
| | dom0
| |
|_______|_________________________________________________________________|_______|
Marcus.
_______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |