Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario

[Simon Hobson <linux@xxxxxxxxxxxxxxxx>]

Sanjay Arora wrote:

> XEN newbie here.
We all started there - I'm not much further on !

> If I install minimal linux for XEN in dom0 and a periphery firewall in
> domU and other applications in other instances of domU, is it possible
> to restrict/bind the network card to domU having periphery firewall
> and from there forward packets for dom0 or for other domUs?
>
> Is this possible? If so, is it secure? Or does dom0 always have direct
> access to Network Card and needs a separate firewall? And packets will
> always route from dom0 to all domUs ?
OK, there are two ways to deal with this.


The approach I've used at home is to hide a network card from Dom0 
(see pic-back.hide) and pass it through to a DomU which then sees it 
as a native interface. I then run a firewall in the DomU and the 
outside traffic does NOT go through Dom0.  The route for packets is 
then :
real i/f -> DomU (firewall) -> VIF -> int bridge [ Dom0 | VIF -> DomU ]


An alternative is to create more than one bridge in Dom0. The 
'outside' bridge will have members of the real network card, and the 
VIF for your firewall DomU. Dom0 either has no interface defined on 
this bridge*, or some iptables rules to block all outside traffic. 
The 'internal' bridge has member interfaces for Dom0, your firewall 
DomU, and all other DomUs. The route for packets is then :
real i/f -> ext bridge -> VIF -> DomU (firewall) -> VIF -> int bridge \
  [ Dom0 | VIF -> DomU ]


* Personally, I've never got the bridge to work this way.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users