[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewalling Xen?

lists@xxxxxxxxxxxxx wrote:

I have the following Xen config and I was wondering what you'd recomend as a firewall setup.

Dom0 -
Dom1 - (Bridged)
Dom2 - (Bridged)
Dom3 - (Bridged)
Dom4 - (Bridged)

I'm wondering how to setup a firewall for Dom0 when all traffic for the DomUs go 'through' it. How should the firewall take this into account?

On a side note, I read a more secure way was to have the 'primary' Dom to be a DomU firewall to avoid exploits to the Dom0 but I can't find proper documentation for such a setup. Can someone point me in the right direction please?

I'll do the second one first as a) it's shorter, and b) if I do it at the end it's likely to get missed !

I think what you are referring to is the practice of making a DomU have the only connection to the outside, and for it to run as a two port firewall. You can either configure a second bridge to get the external traffic to the DomU, or hide the PCI device and make it a native hardware device available only to the DomU - the latter is what I have at home, and also I believe what Tom Eastep (author of the Shorewall package) runs for his Shorewall hosting.

For a firewall, I can recommend Shorewall (http://www.shorewall.net) which I believe takes a good position between low level (native iptables) and too restrictive.

Now, to the first bit :

I have another server that is setup something similar to your setup. I hand crafted an init file to configure a few iptables rules to protect Dom0 - it's pointless trying to run a full firewall as a) I'm not sure anyone really understands networking fully under Xen, and b) the network keeps changing when guests start or stop.

My init script is (it actually has more as the machine has multiple networks, but I've ripped out all but one) :

#! /bin/sh

# Provides:          firewall
# Required-Start:    $networking
# Required-Stop:     $networking
# Should-Start: # Default-Start: 2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Firewall - home grown bash/iptables script
# Description: Script to build basic firewall directly with /sbin/iptables

set -e

. /lib/lsb/init-functions


case "$1" in
        log_daemon_msg "Starting firewall"

        # Clear /sbin/iptables first
        /sbin/iptables -F

        # Set traffic not addressed to us to no-track
        # t:raw c:prerouting
/sbin/iptables -t raw -A PREROUTING --in-interface ethext --dst ! $ExtAdd -j NOTRACK

        # filter:inbound
        # t:filter c:inbound-ext
        /sbin/iptables -t filter --new inbound-ext

        # allow established streams (ie outbound initiated connections)
/sbin/iptables -t filter -A inbound-ext -m state --state RELATED,ESTABLISHED -j ACCEPT

        # allow icmp
/sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -p icmp --icmp-type 8 -j ACCEPT /sbin/iptables -t filter -A inbound-ext -p icmp --icmp-type 8 -m limit --limit 6/minute --limit-burst 10 -j ACCEPT
        /sbin/iptables -t filter -A inbound-ext -p icmp --icmp-type 8 -j DROP
        /sbin/iptables -t filter -A inbound-ext -p icmp -j ACCEPT

        # allow ssh
/sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -p tcp --dport 22 -j LOG --log-level info --log-prefix "FW net2fw" /sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -p tcp --dport 22 -j ACCEPT

        # drop everything else
        /sbin/iptables -t filter -A inbound-ext -j DROP

        # filter: send inbound packets to us to chain inbound-[ext|bak|int]
        # t:filter c:INPUT
        # policy allow
        /sbin/iptables -t filter -A INPUT --dst $ExtAdd -j inbound-ext

        log_end_msg 0
        log_daemon_msg "Stopping firewall"
        /sbin/iptables -F
        /sbin/iptables -F -t raw
        /sbin/iptables -X inbound-ext
        log_end_msg 0

        echo "Usage: /etc/init.d/firewall {start|stop}"
        exit 1

exit 0

Now, what I believe this does is :
Not track any traffic coming in on the external interface that isn't addressed to us.
Permits certain inbound traffic.
Blocks everything else.

Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.