Response in-line for once...
-----Original
Message-----
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx]
On Behalf Of Simon Hobson
Sent: Sunday, June 13, 2010 08:32
To:
xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Managed
Firewall
Jonathan Tripathy wrote:
>Since I have plans for up to
nearly 100 VMs on the same machine, how
>well would Xen cope with 100
bridges?
No idea.
>I also have another idea, so maybe you could
tell me if it would
>work or not (Using physical firewall
box):
>Let's say I have just one bridge per Xen host. Could I
use
>iptabled/ebtables to deny all inter-VM traffic? So only allow
access
>from the VM to the physical NIC of the box? Then on the
physical
>switch, I could put each port on a separate VLAN, but put the
port
>that the firewall is connected to on all the VLANs. Then, I
assume,
>the switch would send all traffic from the host ports to
the
>firewall port, where the firewall could do filtering? I'm not
sure
>if the firewall would even need to be VM aware..
Well the
firewall will not have to be VM aware anyway - it just sees
traffic on VLAN
ports.
As to having one bridge and VLANs, if you connect multiple VLANs
to
one switch then that's the equivalent of trunking (bonding)
multiple
links together and won't help. The only other way round it I
can see
is to use some fudging with /32 subnets for the clients so that
they
have no concept of there being 'neighbours' on the local subnet
(and
then enforce it with iptable/ebtables rules to prevent
direct
host-host traffic) - but that's beyond my experience and I don't
know
how well it works or what pitfalls there may
be.
Simon,
Primarily out of curiosity, are you assuming that the
switch is not using
VLAN tagging along with trunking? Is that even
possible? Assuming tagged
VLANs, I don't see what makes you think the
switch is going to break that
boundary and send the data back. Even if
it did, the destination domU
should ignore it unless the tag was stripped by
the switch. Seems to me
like the switch would keep the VLANs separate
and e firewall would have to
function as a sort of "VLAN Router," which may
or may not be possible.
Dustin
--
Simon Hobson
-------------------------------------------------------------------------------------------------------------
Hi Everyone,
Just to follow up on my above emails. I've decided to go down a
much simplier route: I'm just going to add some iptables rules in the vif script
for each customer. This will provide simple yet powerful filtering in the Dom0.
No external firewall needed!
Thanks
