[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Re: transparant (secure) bridge

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Martin Leben <ml060223@xxxxxxxx>
Date: Tue, 08 Apr 2008 21:14:20 +0200
Delivery-date: Tue, 08 Apr 2008 12:15:42 -0700
List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi Jeroen,

Jeroen Kleijer wrote:

However, the thing I'm most interested in would be transparant network
bridging like a firewall bridge where the bridging host (dom0) has no
exposed IP address to the outside world and is only accessible through
the console or a completely separate management interface (eth1, not
accessible from any of the domU's)

Since dom0 has no IP interface exposed to the outside but only acts as
a bridge from the outside to the domU's, that would make the dom0 a
bit more secure.

Absolutely. This is the setup I use myself. I have a two interface firewall in adomU.

Would such a implementation be feasible or does the dom0 network
interface always have to have an IP stack for the bridging to work?

A network interface doesn't have to have an IP address to be in use, regardlessif it is connected to a bridge or not.



This is how I set up the interfaces on the dom0:

# egrep -v "^(#|$)" /etc/network/interfaces
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet static
        address 192.168.221.4
        netmask 255.255.255.0
        gateway 192.168.221.2

Note that I don't even bother to mention eth1, the external interface. Itdoesn't get an IP.



I followed this example:
<http://wiki.xensource.com/xenwiki/XenNetworking#head-7b845eda5e0154fecb98165adbd774f6168119d1>
... which recommended to create a custom network script:

# cat /etc/xen/scripts/my-network-script
#!/bin/sh
dir=$(dirname "$0")
"$dir/network-bridge" "$@" vifnum=0
"$dir/network-bridge" "$@" vifnum=1


... which is then used by xen:

# egrep -v "^(#|$)" /etc/xen/xend-config.sxp
(network-script my-network-script)
(vif-script vif-bridge)
(dom0-min-mem 196)
(dom0-cpus 0)


And finally, the firewall domU is configured like this:

# egrep -v "^(#|$)" /etc/xen/zack.cfg
kernel  = '/boot/vmlinuz-2.6.18-5-xen-686'
ramdisk = '/boot/initrd.img-2.6.18-5-xen-686'
memory  = '96'
root    = '/dev/sda1 ro'
disk    = [ 'phy:vg-james/zack-disk,sda1,w',
            'phy:vg-james/zack-swap,sda2,w' ]
name    = 'zack'
xen_shell = 'zack'
vif  = [ 'mac=00:16:3e:92:7b:c5, bridge=xenbr0',
         'mac=00:16:3e:a6:63:5d, bridge=xenbr1' ]
on_poweroff = 'destroy'
on_reboot   = 'restart'
on_crash    = 'restart'

And don't forget to add "post-up ethtool -K <device> tx off" to the interfacestanzas in /etc/network/interfaces of the domU:s like this:


auto eth0
iface eth0 inet dhcp
        post-up ethtool -K eth0 tx off


Good luck!
/Martin Leben


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

References:
- [Xen-users] transparant (secure) bridge
  - From: Jeroen Kleijer

Prev by Date: [Xen-users] PCI-X pass-thru just like PCI pass-thru?
Next by Date: Re: [Xen-users] transparant (secure) bridge
Previous by thread: Re: [Xen-users] transparant (secure) bridge
Next by thread: Re: [Xen-users] transparant (secure) bridge
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.