[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewalling Xen?

  • To: Dustin.Henning@xxxxxxxxxxx
  • From: "Grant McWilliams" <grantmasterflash@xxxxxxxxx>
  • Date: Mon, 15 Dec 2008 13:50:56 -0800
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Mon, 15 Dec 2008 13:52:29 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=b3QKh1p2WTXmU3aAHqGZeYYDzJQYOCk1hGaLdrTtt8yBLvnyHo6xNGm17GI/wTVHT1 3tkQg9xtioOX3PBoYCiVrjSDBENKjj2PMYDmxr+rIu0sC2nbRJVr6W3Dhzh5LWSstHQd cUVE22pfUzBJ/ENOyQSnBWK6UgBWhOGHyn8Ag=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

On Mon, Dec 15, 2008 at 1:05 PM, Dustin Henning <Dustin.Henning@xxxxxxxxxxx> wrote:
       In case it is relevant, I simply allow all traffic to traverse the forwarding chain when it is headed to a bridged destination.  I then simply run a firewall on dom0 and each domU as if they were all individual machines.  This seems to me like the way to go short of doing something more drastic with hardware isolation, but as a lot of people prefer to have much more complex firewall setups, it is certainly likely that at least some of them have good reason.

Keep in mind that this method means you'll be managing multiple firewalls. In my case it would be about 30 firewalls total. By separating the internal private network from the real network you can run with one firewall. However, having said that you can only forward each outside port to one port on one domU. This means if you have multiple web servers you can't forward the external port 80 to more than one internal possibly making it messy for external clients accessing the virtual machines by requiring them to access services on non-standard ports. In my setup this is fine because I only forward one port anyway (ssh) to allow remote logins.

In summary:
To simulate a traditional open network where all virtual hosts (and all ports) are accessible by all external clients you will want to just make sure the peth0 physical network device is added to the bridge that Xen uses for domUs. This will require you to have firewalls on all DomUs in addition to a firewall on Dom0 as Dustin has outlined.

To similate a private network where all traffic is routed through a firewall you'll want to use my original suggestion or similar. This entails setting up eth0 on Dom0 as a connection to the outside world and dummy0 as a connection to the Xen bridge where the DomUs reside. This will require you to configure a firewall on Dom0 that will filter and pass traffic from an externally accessible port to the desired port of the DomU in question.

Grant McWilliams

Some people, when confronted with a problem, think "I know, I'll use Windows."
Now they have two problems.
Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.