Xen project Mailing List

Re: [Xen-users] firewalls and Xen

To: Patrick Wolfe <pwolfe@xxxxxxxxxxxxxx>

From: Alexander Kostadinov <avalon@xxxxxxxxxxxx>

Date: Fri, 7 Jul 2006 10:43:31 +0300 (EEST)

Cc: Luke <secureboot@xxxxxxxxx>, Daniel Goertzen <goertzen@xxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx

Delivery-date: Fri, 07 Jul 2006 02:55:11 -0700

List-id: Xen user discussion <xen-users.lists.xensource.com>

I think that a better solution is to hide the pethX from dom0 and export

them to the router domU, because in xen 3 you are limited to 3 interfaces

per domU and you don't get the overhead of the bridging code. The

configuration files will be much simpler also.

I think it was pciback.hide=(pcidev0)(...)(pcidevN) on the dom0 kernel

command line and

pci=['pcidev0','...','pcidevN'] on the domU config file. Note that you must have drivers for the hardware in the domainU On Tue, 14 Feb 2006, Patrick Wolfe wrote:

On Tue, 2006-02-14 at 10:44 -0600, Daniel Goertzen wrote:

FYI I am implementing a firewall using firehol in a domU.  It has 3
interfaces which are plugged into 3 bridges in my dom0 (internet, lan,
and dmz).  Only 2 of the bridges connect to physical ethernet interfaces
(internet, lan); the other one is meant for routing to dmz domU's only.
My setup is not complete but partial tests are showing good results.



On the two systems I setup running xen3 and a firewall, I found it made
much more sense to create a firewall domU with minimal OS, and do all my
iptables filtering there.  Just like Daniel describes, I created a
bridge for each physical interface, connect the physical interface and
firewall domU to each those bridges, then create one additional bridge
(my XEN DMZ) to which I attached the firewall, dom0's veth0 and all
other domU's.

+-------+   +---------+               +-----------+
| peth0 |---| br0eth0 |       +-------|veth0 dom0 |
+-------+   +---------+       |       +-----------+
                |            |
           +--eth0--+        |
           |        |        |
           |        e        |
           | fire1  t   +--------+   +-----------+
           | domU1  h---| br2dmz |---|eth0 domU2 |
           |        2   +--------+   +-----------+
           |        |        |
           +--eth1--+        |
                |            |
+-------+   +---------+       |       +-----------+
| peth1 |---| br1eth1 |       +-------|eth0 domU3 |
+-------+   +---------+               +-----------+

From the firewall domU's perspective, it doesn't see any bridges, just
eth0, eth1, etc.  This makes setting up firewall/nat rules much easier,
plus it's more secure, because you don't need all the packages in the
firewall domU that dom0 needs to run Xen.  Plus, we're not routing
traffic through dom0's IP stack (it just deals with bridging).  Since
dom0 is where all the physical network interfaces, bridges, and disk
devices are visible, it is the most critical system on the box, security
wise.  If someone gets into dom0, they have the keys to the kingdom.

By not routing any traffic through dom0, and keeping it behind the
firewall (or making it completely inaccessible from the network), you
reduce the risk that someone could access it and compromise your whole
network of systems.

--

Patrick Wolfe

email:   pwolfe@xxxxxxxxxxxxxx

-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.