|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
On 22/04/15 10:56, aleph2@xxxxxxxxxxx wrote: HiSorry if this has been asked, or even answered a gazillion times. Right now it feels like I've read most of them! :-/My office is getting a Xen on linux server donated. Looks like I'm on the hook to get it up and running. Been reading and testing bits and pieces. Most seem pretty straight forward. I have a question about putting a firewall on the Xen machine to provide firewall for the machine Hosts, the Guests, and machines on the office lan.I've found a lot of articles & examples about it, and am in the weeds a ways.IIUC there are basically four ways to handle the firewall, (1) 2 ethernet interfaces in the Dom0 host, shorewall on the Dom0 (2) 2 ethernet interfaces in the Dom0 host, shorewall in a DomU guest (3) 1 ethernet interfacs in the Dom0 host, 1 eth intfc in a DomU guest, shorewall in the Guest, (4) 2 ethernet interfaces in the DomU guest, shorewall in the DomU guest, guest internal intfc connected to an Ethernet switch. So far I'm pretty convinced that (A) this Xen server CAN be my 'edge' firewall/router for my office(B) it's best to NOT load up the Dom0 with the firewall pkgs, so the fw goes in a DomU (C) At least the external inerface should be passed through to the Guest to avoid DomU<>Dom0 traffic(D) I should use a bridged, not routed, topology.(E) Linux' built-in L2 switch is good enough, and I likely don't need OpenVSwitchIf all of those are right, then I'm left with figuring out how best to handle the other interface, and getting the traffic from the 'net, "through" the Xen server & a switch, then to the LAN.At the moment I reading these http://wiki.xen.org/wiki/Xen_FAQ_Security http://wiki.xenproject.org/wiki/Xen_Networking http://old-list-archives.xenproject.org/archives/html/xen-users/2006-02/msg00602.html and am really not sure which is the right way to go. Also this https://community.spiceworks.com/how_to/103601-configure-xenserver-6-2-to-host-a-virtual-firewalltalks about using dedicated physical host ports VS. using VLAN with an external switch. Which is an option since this Xen server has a total of 4 physical ehternet interfaces, AND my Ethernet Switch is a managed, VLAN capable Gbit switch.I'd appreciate a little help in narrowing this down to the best approach, choosing simple where there's a choice. IMHO, use two physical ethernet ports on the dom0, and configure each of them as a bridge (your dom0 Linux OS will be used for this). Physically, you will connect one of them to your LAN and the other to your WAN (router/modem/etc). The LAN port is bridged to xenbr0 and the wan port to xenbr1In dom0, xenbr0 is configured with an IP address the same as any normal server on your LAN (eg 192.168.1.12/24) and xenbr1 has no IP address, and is not configured/used. You configure to pass xenbr0 and xenbr1 to the domU as eth0 and eth1Within domU you use eth0 as your normal LAN interface (eg 192.168.1.1/24), and configure eth1 as your WAN interface (external IP address, or PPPoE or whatever is needed). Configure your firewall the same as if this was a physical server with two ethernet devices. Nothing special at all. If you use other domU's then you will only pass xenbr0 to them, and use only eth0 within the domU. To complicate things further, you could split the 4 available physical ports into two pairs, and bond them together using linux bonding, so that if one of the physical interfaces fails, then services can continue, or to increase available bandwidth on the LAN side, etc. This is all a lot more advanced/more difficult, so definitely get the above working first. I hope this is helpful. Regards, Adam -- Adam Goryachev Website Managers www.websitemanagers.com.au _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |