[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Ideal(istic) Xen firewall design



Hi Dirk,

Dirk H. Schulz wrote:

> Marcus Brown schrieb:
>
>> Option C-v3
>> ===========
>> Internet
>> |
>> eth1
>> ______________________|_______________________
>> | _____________|_______________ |
>> | | Firewall | |
>> Local eth0 =|========| (Shorewall) |=======|= eth2 DMZ (optional)
>> | |___________________________| |
>> | eth4 | eth5 |
>> | ______________ | eth3 | _______________ |
>> | | Web Server | | | | | iPaq Server | |
>> | | (Apache2) | | | | | (Bluetooth) |=|= USB Host #1
>> | |____________| | | | |_____________| | (for BT Dongle)
>> | eth0 \ | | | / eth0 |
>> | _______________\| | |/ |
>> | | Mail Server | | | | |
>> | | (Courier) | | | | |
>> | |_____________| | | | |
>> | eth0 \| | | |
>> | | | | |
>> | br1 | br2 |
>> | ! br0 ! |
>> | _____________|_____________ |
>> | | | |
>> | | dom0 | |
>> |________|_________________________|_________|
>>
>>
>> Thanks for the hint, I was just compiling vlan support into dom0 when
>> your message arrived, so you've probably saved me from wandering
>> further into a pointless excercise! :)
>> I'll start playing with dummies instead! lol
>>
>>
> I will soon try something similar, so I try following the thread. :-)
>
> What exactly is a dummy interface (I have found some hints on its
> existence, but nothing detailed)? And can I configure it like a real
> interface in /etc/network/interfaces with "iface dummyX inet static ..."?


Linux Kernel v2.6.11.12-xen0 Configuration
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
ââââââââââââââââââââââââââââââââââââ Dummy net driver support
âââââââââââââââââââââââââââââââââââââ
â CONFIG_DUMMY: â
â â
â This is essentially a bit-bucket device (i.e. traffic you send to â
â this device is consigned into oblivion) with a configurable IP â
â address. It is most commonly used in order to make your currently â
â inactive SLIP address seem like a real address for local programs. â
â If you use SLIP or PPP, you might want to say Y here. Since this â
â thing often comes in handy, the default is Y. It won't enlarge your â
â kernel either. What a deal. Read about it in the Network â
â Administrator's Guide, available from â
â <http://www.tldp.org/docs.html#guide>. â
â â
â To compile this driver as a module, choose M here: the module â
â will be called dummy. If you want to use more than one dummy â
â device at a time, you need to compile this driver as a module. â
â Instead of 'dummy', the devices will then be called 'dummy0', â
â 'dummy1' etc. â
â â
â Symbol: DUMMY [=m] â
â Prompt: Dummy net driver support â
â Defined at drivers/net/Kconfig:24 â
â Depends on: NETDEVICES â
â Location: â
â -> Device Drivers â
â -> Networking support â
â -> Network device support (NETDEVICES [=y]) â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ


modprobe dummy -o dummy0
if=dummy0
modprobe dummy -o dummy2
if=dummy1
modprobe dummy -o dummy1
if=dummy2

eg:
/etc/modules

dummy -o dummy0
dummy -o dummy1
dummy -o dummy2
...etc


/etc/network/interfaces

auto dummy0
iface dummy0 inet static
address 192.168.254.1
netmask 255.255.255.248
network 192.168.254.0
broadcast 192.168.254.7
gateway 192.168.254.6
auto dummy1
iface dummy1 inet static
address 192.168.254.9
netmask 255.255.255.248
network 192.168.254.8
broadcast 192.168.254.15
post-up brctl addbr br1 || true
post-up brctl addif br1 dummy1 || true
# post-up ifconfig br1 192.168.254.33/28
post-down brctl delif br1 dummy1

auto dummy2
iface dummy2 inet static
address 192.168.254.17
netmask 255.255.255.248
network 192.168.254.16
broadcast 192.168.254.23
post-up brctl addbr br2 || true
post-up brctl addif br2 dummy2 || true
# post-up ifconfig br2 192.168.254.33/28
post-down brctl delif br2 dummy2

...etc


my /etc/xen/Firewall now contains:

nics=11
vif = [ 'mac=aa:00:00:00:22:01, bridge=br10', 'mac=aa:00:00:25:40:01,
bridge=xen-br0', 'mac=aa:00:00:25:40:09, bridge=br1',
'mac=aa:00:00:25:40:17, bridge=br2', 'mac=aa:00:00:25:40:25,
bridge=br3', 'mac=aa:00:00:25:40:33, bridge=br4',
'mac=aa:00:00:25:40:49, bridge=br5', 'mac=aa:00:00:25:40:45,
bridge=br6', 'mac=aa:00:00:25:40:73, bridge=br7',
'mac=aa:00:00:25:40:81, bridge=br8', 'mac=aa:00:00:25:40:97, bridge=br9' ]

(br10 is currently just a place holder, as I'm missing a 3rd network
card atm)

>
> Regarding your drawing: Is the Firewall a xen guest system? And if
> yes, how did you transfer the real interfaces to it? If no, how is the
> firewall separated from dom0?

The Firewall is a privileged domain (dom1 if you like:) ).
The PCI network cards are hidden from dom0,
and exported to the Firewall using it's config script.

Linux Kernel v2.6.11.12-xen0 Configuration
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââââââââ XEN
âââââââââââââââââââââââââââââââââââââââââââââââ
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
â â [*] Privileged Guest (domain 0) â â
â â --- Physical device access â â
â â [*] Block-device backend driver â â
â â [*] Network-device backend driver â â
â â [*] Block-device frontend driver â â
â â [*] Network-device frontend driver â â
â â [ ] Pipelined transmitter (DANGEROUS) â â
â â [*] Scrub memory before freeing it to Xen â â
â â Processor Type (X86) ---> â â
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Linux Kernel v2.6.11.12-Firewall Configuration
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââââââââ XEN
âââââââââââââââââââââââââââââââââââââââââââââââ
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
â â [*] Privileged Guest (domain 0) â â
â â --- Physical device access â â
â â [*] Block-device backend driver â â
â â [*] Network-device backend driver â â
â â [*] Block-device frontend driver â â
â â [*] Network-device frontend driver â â
â â [ ] Pipelined transmitter (DANGEROUS) â â
â â [*] Scrub memory before freeing it to Xen â â
â â Processor Type (X86) ---> â â
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Linux Kernel v2.6.11.12-xenU Configuration
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
âââââââââââââââââââââââââââââââââââââââââââââââ XEN
âââââââââââââââââââââââââââââââââââââââââââââââ
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
â â [ ] Privileged Guest (domain 0) â â
â â [ ] Physical device access â â
â â [*] Block-device frontend driver â â
â â [*] Network-device frontend driver â â
â â [ ] Pipelined transmitter (DANGEROUS) â â
â â [*] Scrub memory before freeing it to Xen â â
â â Processor Type (X86) ---> â â
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
dom0 /boot/grub/menu.lst includes:
title Debian Xen Stable no-initrd 2.0.7 2.6.11.12-xen0
root (hd0,0)
kernel /xen-2.0.7.gz root=/dev/hda3 ro dom0_mem=131072
physdev_dom0_hide=(00:0a.0)(00:0b.0)(00:09.0)(00:09.1)(00:09.2)(00:09.3)(00:06.0)
module /vmlinuz-2.6.11.12-xen0 root=/dev/hda3 ro console=tty0
savedefault
boot

/etc/xen/Firewall includes
pci = ['00,0b,0', '00,0a,0' ]


I've got a coloured version (hey it's therapy!) with more domUs,
but here's an ASCII version of the current design:



OPTION C-v3.1
=============
Internet
|
eth1
________________________________________|__________________________________________
| ________________________________|__________________________________ |
| | | |
| | Firewall | |
Local eth0 =|=======| (dom1) |=======|= eth2 DMZ
| |_________________________________________________________________| |
(optional)
| | | | |
| eth3 eth4 eth5 |
| | ________________ | ______________ | _______________ |
| | | Proxy Server | | | Web Server | | | iPaq Server | |
| | | (domU1) | | | (domU2) | | | (dom2) |========|= USB Host #1
| | |______________| | |____________| | |_____________| | (for BT Dongle)
| | / | / | / | ( and cradle )
| | / | / _______________ | / |
| |/ |/ | Mail Server | |/ |
| | | | (domU3) | | |
| | | |_____________| | |
| | | / | |
| | | / | |
| | |/ | |
| xen-br0 br1 br1 |
| | ! ! |
| ___|_______________________________________________________________ |
| | | |
| | dom0 | |
|_______|_________________________________________________________________|_______|



Marcus.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.