[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] Managed Firewall

  • To: <Dustin.Henning@xxxxxxxxxxx>, <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
  • Date: Tue, 15 Jun 2010 16:16:40 +0100
  • Cc:
  • Delivery-date: Tue, 15 Jun 2010 08:19:31 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Thread-index: AcsK9JUaGqV8TQHlQo62XP0WincQxQBqDGqAAAA+s9Y=
  • Thread-topic: [Xen-users] Managed Firewall


From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Dustin Henning
Sent: Tue 15/06/2010 16:12
To: 'Simon Hobson'; xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Managed Firewall

Response in-line for once...

-----Original Message-----
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Simon Hobson
Sent: Sunday, June 13, 2010 08:32
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Managed Firewall

Jonathan Tripathy wrote:

>Since I have plans for up to nearly 100 VMs on the same machine, how
>well would Xen cope with 100 bridges?

No idea.

>I also have another idea, so maybe you could tell me if it would
>work or not (Using physical firewall box):
>Let's say I have just one bridge per Xen host. Could I use
>iptabled/ebtables to deny all inter-VM traffic? So only allow access
>from the VM to the physical NIC of the box? Then on the physical
>switch, I could put each port on a separate VLAN, but put the port
>that the firewall is connected to on all the VLANs. Then, I assume,
>the switch would send all traffic from the host ports to the
>firewall port, where the firewall could do filtering? I'm not sure
>if the firewall would even need to be VM aware..

Well the firewall will not have to be VM aware anyway - it just sees
traffic on VLAN ports.

As to having one bridge and VLANs, if you connect multiple VLANs to
one switch then that's the equivalent of trunking (bonding) multiple
links together and won't help.  The only other way round it I can see
is to use some fudging with /32 subnets for the clients so that they
have no concept of there being 'neighbours' on the local subnet (and
then enforce it with iptable/ebtables rules to prevent direct
host-host traffic) - but that's beyond my experience and I don't know
how well it works or what pitfalls there may be.

Primarily out of curiosity, are you assuming that the switch is not using
VLAN tagging along with trunking?  Is that even possible?  Assuming tagged
VLANs, I don't see what makes you think the switch is going to break that
boundary and send the data back.  Even if it did, the destination domU
should ignore it unless the tag was stripped by the switch.  Seems to me
like the switch would keep the VLANs separate and e firewall would have to
function as a sort of "VLAN Router," which may or may not be possible.

Simon Hobson


Hi Everyone,

Just to follow up on my above emails. I've decided to go down a much simplier route: I'm just going to add some iptables rules in the vif script for each customer. This will provide simple yet powerful filtering in the Dom0. No external firewall needed!


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.