[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] firewalls and Xen

To: Daniel Goertzen <goertzen@xxxxxxxx>
From: Patrick Wolfe <pwolfe@xxxxxxxxxxxxxx>
Date: Tue, 14 Feb 2006 12:51:16 -0500
Cc: Luke <secureboot@xxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 15 Feb 2006 10:35:37 +0000
List-id: Xen user discussion <xen-users.lists.xensource.com>

On Tue, 2006-02-14 at 10:44 -0600, Daniel Goertzen wrote:
> FYI I am implementing a firewall using firehol in a domU.  It has 3 
> interfaces which are plugged into 3 bridges in my dom0 (internet, lan, 
> and dmz).  Only 2 of the bridges connect to physical ethernet interfaces 
> (internet, lan); the other one is meant for routing to dmz domU's only.  
> My setup is not complete but partial tests are showing good results.

On the two systems I setup running xen3 and a firewall, I found it made
much more sense to create a firewall domU with minimal OS, and do all my
iptables filtering there.  Just like Daniel describes, I created a
bridge for each physical interface, connect the physical interface and
firewall domU to each those bridges, then create one additional bridge
(my XEN DMZ) to which I attached the firewall, dom0's veth0 and all
other domU's.

+-------+   +---------+               +-----------+
| peth0 |---| br0eth0 |       +-------|veth0 dom0 |
+-------+   +---------+       |       +-----------+
                 |            |
            +--eth0--+        |
            |        |        |
            |        e        |
            | fire1  t   +--------+   +-----------+
            | domU1  h---| br2dmz |---|eth0 domU2 |
            |        2   +--------+   +-----------+
            |        |        |
            +--eth1--+        |
                 |            |
+-------+   +---------+       |       +-----------+
| peth1 |---| br1eth1 |       +-------|eth0 domU3 |
+-------+   +---------+               +-----------+

From the firewall domU's perspective, it doesn't see any bridges, just
eth0, eth1, etc.  This makes setting up firewall/nat rules much easier,
plus it's more secure, because you don't need all the packages in the
firewall domU that dom0 needs to run Xen.  Plus, we're not routing
traffic through dom0's IP stack (it just deals with bridging).  Since
dom0 is where all the physical network interfaces, bridges, and disk
devices are visible, it is the most critical system on the box, security
wise.  If someone gets into dom0, they have the keys to the kingdom.

By not routing any traffic through dom0, and keeping it behind the
firewall (or making it completely inaccessible from the network), you
reduce the risk that someone could access it and compromise your whole
network of systems.

-- 

Patrick Wolfe

email:   pwolfe@xxxxxxxxxxxxxx

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

References:
- [Xen-users] firewalls and Xen
  - From: Luke
- Re: [Xen-users] firewalls and Xen
  - From: Daniel Goertzen
- Re: [Xen-users] firewalls and Xen
  - From: Luke
- Re: [Xen-users] firewalls and Xen
  - From: Daniel Goertzen

Prev by Date: Re: [Xen-users] Running Xen 2.0 for Counter Strike: Source
Next by Date: Re: [Xen-users] Control Panel For Xen
Previous by thread: Re: [Xen-users] firewalls and Xen
Next by thread: [Xen-users] in a domU, 6 network interfaces wanted, only 3 seen
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.