RE: [Xen-users] Firewalling Xen?

["James Harper" <james.harper@xxxxxxxxxxxxxxxx>]

> Hi all,
> 
> I have the following Xen config and I was wondering what you'd
recomend as
> a firewall setup.
> 
> Dom0 - 198.175.98.50
> Dom1 - 198.175.98.63 (Bridged)
> Dom2 - 198.175.98.62 (Bridged)
> Dom3 - 198.175.98.61 (Bridged)
> Dom4 - 198.175.45.12 (Bridged)
> 
> I'm wondering how to setup a firewall for Dom0 when all traffic for
the
> DomUs go 'through' it.  How should the firewall take this into
account?
> 
> On a side note, I read a more secure way was to have the 'primary' Dom
to
> be a DomU firewall to avoid exploits to the Dom0 but I can't find
proper
> documentation for such a setup.  Can someone point me in the right
> direction please?
> 

On my server I have the firewall all on Dom0, despite some
recommendations to the contrary. That way if something goes wrong after
an upgrade, or if I want to boot into a non-xen kernel, I still have
connectivity. The machine is at a colo but I still have console access
(HP iLO2), so I could move the firewall and still be able to get to it
in an emergency. It seems easier this way though.

Do you want to firewall the DomU's from each other? Or just from the
internet? If the former then you'll need to have iptables interact with
the bridging code, which always gives me a headache. If the latter, then
I would try and arrange it so that the physical Ethernet device is on
Dom0 on it's own IP address and not bridged, and then route onto a
bridge which isn't connected to a physical network adapter, and put the
firewall rules on Dom0 between the physical network and the bridged
network. You might need some more IP addresses though.

If you have lots of IP addresses already, you could split your network
up into a bunch of /30's and route between them...

James

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users