[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Bridging firewall?



On Mon, Jan 24, 2005 at 12:12:00AM +0100, Matthieu PATOU wrote:
> On Fri, 21 Jan 2005 13:55:35 +0000
> Grzegorz Milos <gm281@xxxxxxxxxxxxxxxx> wrote:
> 
> > > Is it possible with Xen to construct something like the following 
> > > scenario.
> > >
> > > Free/NetBSD (*) domU server running pf or Linux/iptables, acting as a
> > > routing or bridging firewall for all the other domU guests? Further more
> > > create virtual DMZ and internal services.
> I've done it and it's running since two or three month at home and it seems to
> work ...

For the comments below I assume you are using Linux as your firewall OS.

> Not sure see my setup:
> i've two cards in dom0 :eth0 and eth1, eth1 is linked to my xdsl modem, eth0 
> to
> a switch for other physical machines, eth0 is also shared with other xenU
> domains (thoses who are consciderated to be after the firewall).
> br0 encapsulate eth0, one of the virtual network card of my firewall (the one
> consciderated filtred) and other xenU virtual network card
> br1 encapsulate eth1 and the other virtual network card 

So in a sense you've put your virtual servers on the same network as
some of your internal machines.


> My basic idea was not to configure eth1 at all, i thought that if the 
> interface
> is not activated there is no chance of attacking xen0.
> It tunrns that in order to have the packet directed to xenFirewall-input, i 
> must
> do if config eth1 up.

I've been thinking that the following similar method is possible, without
resorting to giving physical device access to a domU.

Basically the same as above, except I'll just have a virtual eth1.

Put dom0 and a virtual NIC for the firewall (domU1-eth0 say) on br0/eth0.
Put domU1-veth1, and all the other domUs on br, and all the other domUs
on br1. Then setup domU1 as a bridging firewall. Admin domU1, either via
the console from dom0 or setup a third private internal accessible from
dom0 or a management VPN.



So there are three bridges. Not sure how well it would perform, or
whether the net/freebsd virtual NIC drives can hande this scenario. It
seems workable though.


Pf+altq, are by far much nicer than iptables.


Nicholas


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.