[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Building a DMZ.

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Old Skywhale <xen@xxxxxxxxxxxx>
Date: Mon, 11 Sep 2006 14:06:55 +0100
Delivery-date: Mon, 11 Sep 2006 06:03:16 -0700
List-id: Xen user discussion <xen-users.lists.xensource.com>

Greetings,
How does one build a DMZ?
I am trying to do the following:-


                  { INTERNET }
                       |
        +-------------eth2--------------+
        |              |                |
        |         [ extbridge ]         |
        |              |                |
        |      +-----vif2.1-----+       |
        |      |                |       |
        |      |  Ext. Firewall |       | 
        |      |   ( dom u2 )   |       |
        |      |                |       |
        |      +-----vif2.0-----+       |
        |              |                |
        |              |                |
        |          [  DMZ  ]-----------eth1
        |              |                |
        |              |                |
        |      +-----vif1.1-----+       |
        |      |                |       |
        |      |  Int. Firewall |       |
        |      |   ( dom u1 )   |       |
        |      |                |       |
        |      +-----vif1.0-----+       |
        |              |                |
        |        [ intbridge ]          |
        |              |                |
        +-------------eth1--------------+
                       |
                  { LOCALNET }


I have a start script ( eventually to go in /etc/init.d) :-

 #!/bin/bash

 /etc/xen/scripts/network-bridge start bridge=intbr netdev=eth0 vifnum=0
 /etc/xen/scripts/network-bridge start bridge=extbr netdev=eth1 vifnum=1
 /etc/xen/scripts/network-bridge start bridge=dmz netdev=eth2 vifnum=2

 /sbin/ifconfig dmz 10.0.0.10 netmask 255.255.255.0 up

 echo 1 > /proc/sys/net/bridge/bridge-nf-call-arptables
 echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
 echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables

 xm create intfw
 xm create extfw


And in my xmconfigs for intfw and extfw I have:

 intfw:vif = [ 'type=ioemu,mac=00:16:3e:0a:01:10,bridge=intbr',
              'type=ioemu,mac=00:16:3e:0a:01:11,bridge=dmz' ]

 extfw:vif = [ 'type=ioemu,mac=00:16:3e:0a:02:20,bridge=dmz',
              'type=ioemu,mac=00:16:3e:0a:02:21,bridge=extbr' ]


Run the start script and all comes up.

However I cannot ping from intfw to extfw.
"brctl showmacs intbr" shows both mac addresses
for the internal firewall on the internal bridge.  
  4     00:16:3e:0a:01:10       no         43.98
  5     00:16:3e:0a:01:11       no         87.64

The same happens with the external firewall, both it's
macs appear on the DMZ if I ping an external address.

I expected the DMZ to have the outbound mac address of the
internal firewall plus the inbound mac address of the external
firewall. Is brctl the wrong tool here?



If anybody has any advice, I would be keen to hear.



kind regards
S. 












_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Prev by Date: [Xen-users] Unable to create HVM domain on x86 SMP
Next by Date: [Xen-users] software suspend and 32bit
Previous by thread: [Xen-users] Unable to create HVM domain on x86 SMP
Next by thread: [Xen-users] software suspend and 32bit
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.