[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] firewalls and Xen



I think that a better solution is to hide the pethX from dom0 and export them to the router domU, because in xen 3 you are limited to 3 interfaces per domU and you don't get the overhead of the bridging code. The configuration files will be much simpler also.

I think it was pciback.hide=(pcidev0)(...)(pcidevN) on the dom0 kernel command line and
pci=['pcidev0','...','pcidevN'] on the domU config file.
Note that you must have drivers for the hardware in the domainU

On Tue, 14 Feb 2006, Patrick Wolfe wrote:

On Tue, 2006-02-14 at 10:44 -0600, Daniel Goertzen wrote:
FYI I am implementing a firewall using firehol in a domU.  It has 3
interfaces which are plugged into 3 bridges in my dom0 (internet, lan,
and dmz).  Only 2 of the bridges connect to physical ethernet interfaces
(internet, lan); the other one is meant for routing to dmz domU's only.
My setup is not complete but partial tests are showing good results.


On the two systems I setup running xen3 and a firewall, I found it made
much more sense to create a firewall domU with minimal OS, and do all my
iptables filtering there.  Just like Daniel describes, I created a
bridge for each physical interface, connect the physical interface and
firewall domU to each those bridges, then create one additional bridge
(my XEN DMZ) to which I attached the firewall, dom0's veth0 and all
other domU's.

+-------+   +---------+               +-----------+
| peth0 |---| br0eth0 |       +-------|veth0 dom0 |
+-------+   +---------+       |       +-----------+
                |            |
           +--eth0--+        |
           |        |        |
           |        e        |
           | fire1  t   +--------+   +-----------+
           | domU1  h---| br2dmz |---|eth0 domU2 |
           |        2   +--------+   +-----------+
           |        |        |
           +--eth1--+        |
                |            |
+-------+   +---------+       |       +-----------+
| peth1 |---| br1eth1 |       +-------|eth0 domU3 |
+-------+   +---------+               +-----------+

From the firewall domU's perspective, it doesn't see any bridges, just
eth0, eth1, etc.  This makes setting up firewall/nat rules much easier,
plus it's more secure, because you don't need all the packages in the
firewall domU that dom0 needs to run Xen.  Plus, we're not routing
traffic through dom0's IP stack (it just deals with bridging).  Since
dom0 is where all the physical network interfaces, bridges, and disk
devices are visible, it is the most critical system on the box, security
wise.  If someone gets into dom0, they have the keys to the kingdom.

By not routing any traffic through dom0, and keeping it behind the
firewall (or making it completely inaccessible from the network), you
reduce the risk that someone could access it and compromise your whole
network of systems.

--

Patrick Wolfe

email:   pwolfe@xxxxxxxxxxxxxx



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.