[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] Firewalling Xen?

> Hi all,
> I have the following Xen config and I was wondering what you'd
recomend as
> a firewall setup.
> Dom0 -
> Dom1 - (Bridged)
> Dom2 - (Bridged)
> Dom3 - (Bridged)
> Dom4 - (Bridged)
> I'm wondering how to setup a firewall for Dom0 when all traffic for
> DomUs go 'through' it.  How should the firewall take this into
> On a side note, I read a more secure way was to have the 'primary' Dom
> be a DomU firewall to avoid exploits to the Dom0 but I can't find
> documentation for such a setup.  Can someone point me in the right
> direction please?

On my server I have the firewall all on Dom0, despite some
recommendations to the contrary. That way if something goes wrong after
an upgrade, or if I want to boot into a non-xen kernel, I still have
connectivity. The machine is at a colo but I still have console access
(HP iLO2), so I could move the firewall and still be able to get to it
in an emergency. It seems easier this way though.

Do you want to firewall the DomU's from each other? Or just from the
internet? If the former then you'll need to have iptables interact with
the bridging code, which always gives me a headache. If the latter, then
I would try and arrange it so that the physical Ethernet device is on
Dom0 on it's own IP address and not bridged, and then route onto a
bridge which isn't connected to a physical network adapter, and put the
firewall rules on Dom0 between the physical network and the bridged
network. You might need some more IP addresses though.

If you have lots of IP addresses already, you could split your network
up into a bunch of /30's and route between them...


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.