[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Bridging firewall?



On Fri, 21 Jan 2005 13:55:35 +0000
Grzegorz Milos <gm281@xxxxxxxxxxxxxxxx> wrote:

> > Is it possible with Xen to construct something like the following scenario.
> >
> > Free/NetBSD (*) domU server running pf or Linux/iptables, acting as a
> > routing or bridging firewall for all the other domU guests? Further more
> > create virtual DMZ and internal services.
I've done it and it's running since two or three month at home and it seems to
work ...
> >
> > You'd probably keep the dom0 instance otherside this setup, with its own
> > filtering arrangement.
> >
> 
> If you give direct network device access to first domU you can set-up your 
> scheme fairly easily. Otherwise (in the standard setup) dom0 will be handling 
> all the incomming/outgoing traffic with no involvment from first domU (so no 
> firewall possible there). 
Not sure see my setup:
i've two cards in dom0 :eth0 and eth1, eth1 is linked to my xdsl modem, eth0 to
a switch for other physical machines, eth0 is also shared with other xenU
domains (thoses who are consciderated to be after the firewall).
br0 encapsulate eth0, one of the virtual network card of my firewall (the one
consciderated filtred) and other xenU virtual network card
br1 encapsulate eth1 and the other virtual network card 

My basic idea was not to configure eth1 at all, i thought that if the interface
is not activated there is no chance of attacking xen0.
It tunrns that in order to have the packet directed to xenFirewall-input, i must
do if config eth1 up.
By doing this way, i must say that i feel less confortable but i still have
faith (and some iptables rules in dom0).
In order to feel secure i've activated the antispoof options, but as it was
broken for me i tweak a little the rules ... if someone is intrested i can post
my script and give some explanations.

I must say that i'm planning to switch to a solution where my eth1 is directly
exported in xenFirewall.

> 
> Cheers
> Gregor
> 
> > For instance, you have a subnet 192.168.1.0/24.  Put the dom0 on
> > 192.168.1.254. Have the firewall router domU running on 192.168.1.1 and
> > acting as the gateway for all the other machines on the subnet.
> >
> >
> > (*) This is my dream, using pf for security and debian for serving the
> > applications. ;)

HTH


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.