[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Ideal(istic) Xen firewall design



Hi Dirk,

stuffed that last one up, still getting used to Thunderbird ;)

2nd attempt:

Hi Dirk,

OOPS, stuffed up the last msg, still getting used to Thunderbird.
2nd attempt :)

Dirk H. Schulz wrote:

> Marcus Brown schrieb:
>
>> Option C-v3
>>
>> ===========
>>                               Internet
>>                                  |
>>                                eth1
>>             ______________________|_______________________
>>             |        _____________|_______________       |
>>             |        |        Firewall           |       |
>> Local eth0 =|========|       (Shorewall)         |=======|= eth2 DMZ 
>> (optional)
>>             |        |___________________________|       |
>>             |               eth4  |  eth5                |
>>             | ______________  | eth3  |  _______________ |
>>             | | Web Server |  |   |   |  | iPaq Server | |
>>             | |  (Apache2) |  |   |   |  | (Bluetooth) |=|= USB Host #1
>>             | |____________|  |   |   |  |_____________| |  (for BT Dongle)
>>             |          eth0 \ |   |   | / eth0           |
>>             | _______________\|   |   |/                 |
>>             | | Mail Server | |   |   |                  |
>>             | |  (Courier)  | |   |   |                  |
>>             | |_____________| |   |   |                  |
>>             |          eth0  \|   |   |                  |
>>             |                 |   |   |                  |
>>             |                br1  |  br2                 |
>>             |                 !  br0  !                  |
>>             |        _____________|_____________         |
>>             |        |                         |         |
>>             |        |          dom0           |         |
>>             |________|_________________________|_________|
>>
>>
>> Thanks for the hint, I was just compiling vlan support into dom0 when
>> your message arrived, so you've probably saved me from wandering
>> further into a pointless excercise! :)
>> I'll start playing with dummies instead! lol
>>
>>
> I will soon try something similar, so I try following the thread. :-)
>
> What exactly is a dummy interface (I have found some hints on its existence, 
> but nothing detailed)? And can I configure it like a real interface in 
> /etc/network/interfaces with "iface dummyX inet static ..."?
>
 Linux Kernel v2.6.11.12-xen0 Configuration
 
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
  ââââââââââââââââââââââââââââââââââââ Dummy net driver support 
âââââââââââââââââââââââââââââââââââââ
  â CONFIG_DUMMY:                                                               
                    â
  â                                                                             
                    â
  â This is essentially a bit-bucket device (i.e. traffic you send to           
                    â
  â this device is consigned into oblivion) with a configurable IP              
                    â
  â address. It is most commonly used in order to make your currently           
                    â
  â inactive SLIP address seem like a real address for local programs.          
                    â
  â If you use SLIP or PPP, you might want to say Y here. Since this            
                    â
  â thing often comes in handy, the default is Y. It won't enlarge your         
                    â
  â kernel either. What a deal. Read about it in the Network                    
                    â
  â Administrator's Guide, available from                                       
                    â
  â <http://www.tldp.org/docs.html#guide>.                                      
                    â
  â                                                                             
                    â
  â To compile this driver as a module, choose M here: the module               
                    â
  â will be called dummy.  If you want to use more than one dummy               
                    â
  â device at a time, you need to compile this driver as a module.              
                    â
  â Instead of 'dummy', the devices will then be called 'dummy0',               
                    â
  â 'dummy1' etc.                                                               
                    â
  â                                                                             
                    â
  â Symbol: DUMMY [=m]                                                          
                    â
  â Prompt: Dummy net driver support                                            
                    â
  â   Defined at drivers/net/Kconfig:24                                         
                    â
  â   Depends on: NETDEVICES                                                    
                    â
  â   Location:                                                                 
                    â
  â     -> Device Drivers                                                       
                    â
  â       -> Networking support                                                 
                    â
  â         -> Network device support (NETDEVICES [=y])                         
                    â
  
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ

eg:
/etc/modules

dummy -o dummy0
dummy -o dummy1
dummy -o dummy2
...etc

/etc/network/interfaces

auto dummy0
iface dummy0 inet static
        address 192.168.254.1
        netmask 255.255.255.248
        network 192.168.254.0
        broadcast 192.168.254.7
        gateway 192.168.254.6

auto dummy1
iface dummy1 inet static
        address 192.168.254.9
        netmask 255.255.255.248
        network 192.168.254.8
        broadcast 192.168.254.15
        post-up brctl addbr br1 || true
        post-up brctl addif br1 dummy1 || true
        # post-up ifconfig br1 192.168.254.33/28
        post-down brctl delif br1 dummy1

auto dummy2
iface dummy2 inet static
        address 192.168.254.17
        netmask 255.255.255.248
        network 192.168.254.16
        broadcast 192.168.254.23
        post-up brctl addbr br2 || true
        post-up brctl addif br2 dummy2 || true
        # post-up ifconfig br2 192.168.254.33/28
        post-down brctl delif br2 dummy2

...etc


my /etc/xen/Firewall now contains:

        nics=11
        vif = [ 'mac=aa:00:00:00:22:01, bridge=br10',
                'mac=aa:00:00:25:40:01, bridge=xen-br0',
                'mac=aa:00:00:25:40:09, bridge=br1',
                'mac=aa:00:00:25:40:17, bridge=br2',
                'mac=aa:00:00:25:40:25, bridge=br3',
                'mac=aa:00:00:25:40:33, bridge=br4',
                'mac=aa:00:00:25:40:49, bridge=br5',
                'mac=aa:00:00:25:40:45, bridge=br6',
                'mac=aa:00:00:25:40:73, bridge=br7',
                'mac=aa:00:00:25:40:81, bridge=br8',
                'mac=aa:00:00:25:40:97, bridge=br9' ]

(br10 is currently just a place holder, as I'm missing a 3rd network
card atm)

> Regarding your drawing: Is the Firewall a xen guest system? And if yes, how 
> did you transfer the real interfaces to it? If no, how is the firewall 
> separated from dom0?
>
The Firewall is a privileged domain (dom1 if you like:) ).

The PCI network cards are hidden from dom0,
and exported to the Firewall using it's config script.

The configs look like this:

 Linux Kernel v2.6.11.12-xen0 Configuration
 
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
  âââââââââââââââââââââââââââââââââââââââââââââââ XEN 
âââââââââââââââââââââââââââââââââââââââââââââââ
  â 
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
 â
  â â                         [*] Privileged Guest (domain 0)                   
                  â â
  â â                         --- Physical device access                        
                  â â
  â â                         [*]   Block-device backend driver                 
                  â â
  â â                         [*]   Network-device backend driver               
                  â â
  â â                         [*] Block-device frontend driver                  
                  â â
  â â                         [*] Network-device frontend driver                
                  â â
  â â                         [ ]   Pipelined transmitter (DANGEROUS)           
                  â â
  â â                         [*] Scrub memory before freeing it to Xen         
                  â â
  â â                             Processor Type (X86)  --->                    
                  â â
  â 
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
 â
  
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ

 Linux Kernel v2.6.11.12-Firewall Configuration
 
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
  âââââââââââââââââââââââââââââââââââââââââââââââ XEN 
âââââââââââââââââââââââââââââââââââââââââââââââ
  â 
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
 â
  â â                         [*] Privileged Guest (domain 0)                   
                  â â
  â â                         --- Physical device access                        
                  â â
  â â                         [*]   Block-device backend driver                 
                  â â
  â â                         [*]   Network-device backend driver               
                  â â
  â â                         [*] Block-device frontend driver                  
                  â â
  â â                         [*] Network-device frontend driver                
                  â â
  â â                         [ ]   Pipelined transmitter (DANGEROUS)           
                  â â
  â â                         [*] Scrub memory before freeing it to Xen         
                  â â
  â â                             Processor Type (X86)  --->                    
                  â â
  â 
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
 â
  
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ

 Linux Kernel v2.6.11.12-xenU Configuration
 
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
  âââââââââââââââââââââââââââââââââââââââââââââââ XEN 
âââââââââââââââââââââââââââââââââââââââââââââââ
  â 
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
 â
  â â                         [ ] Privileged Guest (domain 0)                   
                  â â
  â â                         [ ] Physical device access                        
                  â â
  â â                         [*] Block-device frontend driver                  
                  â â
  â â                         [*] Network-device frontend driver                
                  â â
  â â                         [ ]   Pipelined transmitter (DANGEROUS)           
                  â â
  â â                         [*] Scrub memory before freeing it to Xen         
                  â â
  â â                             Processor Type (X86)  --->                    
                  â â
  â 
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
 â
  
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ


dom0 /boot/grub/menu.lst includes:
        title Debian Xen Stable no-initrd 2.0.7 2.6.11.12-xen0
        root (hd0,0)
        kernel /xen-2.0.7.gz root=/dev/hda3 ro dom0_mem=131072
        
physdev_dom0_hide=(00:0a.0)(00:0b.0)(00:09.0)(00:09.1)(00:09.2)(00:09.3)(00:06.0)
        module /vmlinuz-2.6.11.12-xen0 root=/dev/hda3 ro console=tty0
        savedefault
        boot

/etc/xen/Firewall includes
        pci = ['00,0b,0', '00,0a,0' ]

So, in Firewall domain, lspci now shows:
        0000:00:0a.0 Ethernet controller: 3Com Corporation 3c905B 100BaseTX 
[Cyclone] (rev 30)
        0000:00:0b.0 Ethernet controller: 3Com Corporation 3c905B 100BaseTX 
[Cyclone] (rev 64)


> I am afraid to come up with unqualified questions, but I just started digging 
> into complex networking schemes.

I guess someone will tell you if your question isn't relevant to the list.



I've got a coloured version (hey it's therapy!) with more domUs,
but here's an ASCII version of the current design:

OPTION C-v3.1
=============
                                                Internet
                                                    |
                                                  eth1
            
________________________________________|__________________________________________
            |       
________________________________|__________________________________       |
            |       |                                                           
      |       |
            |       |                            Firewall                       
      |       |
Local eth0 =|=======|                             (dom1)                        
      |=======|= eth2 DMZ
            |       
|_________________________________________________________________|       |   
(optional)
            |          |                      |                    |            
              |
            |        eth3                   eth4                 eth5           
              |
            |          |   ________________   |   ______________   |   
_______________        |
            |          |   | Proxy Server |   |   | Web Server |   |   | iPaq 
Server |        |
            |          |   | (domU1)      |   |   | (domU2)    |   |   | (dom2) 
     |========|= USB Host #1
            |          |   |______________|   |   |____________|   |   
|_____________|        | (for BT Dongle)
            |          |  /                   |  /                 |  /         
              | ( and cradle )
            |          | /                    | / _______________  | /          
              |
            |          |/                     |/  | Mail Server |  |/           
              |
            |          |                      |   | (domU3)     |  |            
              |
            |          |                      |   |_____________|  |            
              |
            |          |                      |  /                 |            
              |
            |          |                      | /                  |            
              |
            |          |                      |/                   |            
              |
            |       xen-br0                  br1                  br1           
              |
            |          |                      !                    !            
              |
            |       
___|_______________________________________________________________       |
            |       |                                                           
      |       |
            |       |                              dom0                         
      |       |
            
|_______|_________________________________________________________________|_______|




Marcus.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.