|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] advanced bridging...
I had some time today to experiment and I have found the configuration setup
for my own diagram. I have worked with the available scripts a much as
possible, because I believe that will cause the least administration
headaches later on.
On the other hand, it's not perfect either, because the NIC connected to the
internet in dom0 is up for a few seconds during boot time. This may be a
security risk, I don't know for sure.
I'll just post it here for others interested in it.
Remember my setup is in CentOS 5 both in dom0 and domU, I have reattached the
diagram for this to be a complete message.
Note: for this setup you will need a server with two physical network
interfaces, both detected in dom0.
peth0 will be connected to the lan
peth1 will be connected to the internet
Step 1.
-------
In dom0, configure eth0 as you like (fixed IP or dhcp, whatever suites you)
and have it start at boot. Configure eth1 to NOT start at boot. I have given
eth1 an invalid address (meaning one that is not in any of my networks) to
cope with the few seconds of uptime.
Step 2.
------
Setup a domU. Relevant information can be found in this mailinglist and in
examples provided with xen. The only relevant part for this specific setup is
to have two virtual network interfaces that will both be attached to a
separate bridge:
vif = [ 'mac=aa:cc:00:00:00:02, bridge=xenbr0',
'mac=aa:cc:00:00:00:04, bridge=xenbr1' ]
Step 3.
-------
Create a wrapper script for network-bridge.
I have called this "network-bridge-wrapper", and it's stored
in /etc/xen/scripts.
#!/bin/sh
/etc/xen/scripts/network-bridge $1 vifnum=0
/etc/xen/scripts/network-bridge $1 vifnum=1
ifdown eth1
This script is pretty simple: it just calls network-bridge twice with it's own
command (start/stop/status) and with two different vifnums.
Using the parameter that is normally passed to network-bridge
(start/stop/status) helps with compatibility. The different vifnums ensure
that two bridges are setup.
Then dom0's virtual interface eth1 will be shut down.
When dom0 is started, this wrapper will create xenbr0 and xenbr1.
xenbr0 will contain eth0 and peth0 (for the LAN side), and xenbr1 will be
setup with eth1 and peth0, although eth1 is shut down immediatly in the next
command. This will keep the bridge but with only the physical NIC in it.
At this point, no network traffic can reach dom0 via peth1 (the internet). The
time it takes the server to setup xenbr1 and shutting down eth1, dom0 IS
reachable via peth1. It's a very short timeframe though. I think most setups
have a similar short opening between bringing up the NIC and the firewall.
Step 4.
-------
Edit /etc/xen/xend-config.sxp, and replace network-bridge with
network-bridge-wrapper
Step 5.
-------
Start the domU (xm create ...).
That's it.
Regards,
Geert
On Monday 7 May 2007 09:45, Marc Patino Gómez wrote:
> Hi Geert,
>
> you scheme it's so cool, I think it is one of the best way to secure
> Xen, I use similar config for one of my Xen servers.
> You can do it manualy, as told Bock. Normally, I use a wrapper of
> network-bridge. One question:
>
> In CentOS are xend-config.sxp and network-bridge scripts? In this case I
> can post the config
>
> Regards,
>
> Marc
>
> Geert Janssens wrote:
> > Hi Marc,
> >
> > I have seen two network diagrams of you passing in the thread already and
> > they both helped me understand the Xen networking a lot better.
> >
> > The first diagram explained how to setup a Xen system with 1 physical
> > NIC, where one domU acts as a firewall for the other domU's. In this
> > scenario, dom0 is connected to the bridge that links to the unsafe net
> > (the "outside" network for the domU firewall).
> >
> > The second diagram explained who to setup a Xen system with 2 physical
> > NICs, dom0 acts as a firewall between the two NICs. It is setup with two
> > bridges, one that connects the internet side of the virtual network
> > (first physical NIC and first virtual NIC) and one that connects the LAN
> > side of the virtual network (seconf physical NIC for the rest of the LAN,
> > second virtual NIC for dom0 and virtual NICs for the different domU's).
> >
> > Unfortunatly, what I am trying to achieve is yet another slight
> > variation. See the attached image.
> >
> > I would like to setup a system with two physical NICs (peth0 and peth1),
> > where the firewall runs in domU.
> >
> > For that I would like to setup two xen bridges.
> > The first is on the LAN side, and is a typical Xen bridge: one physical
> > NIC, a virtual NIC for dom0 and one for domU.
> >
> > The second would be on the internet side, but it should NOT have a
> > virtual NIC for dom0, only for domU. The idea is that dom0 should not be
> > accessible from the internet, only from the LAN.
> >
> > Is such a setup possible ? And if yes, how ?
> >
> > Thank you.
> >
> > Geert Janssens
> >
> > P.S. in an earlier attempt I tried to eliminate the second bridge
> > altogether by assigning peth1 directly to the domU with PCI back.
> > Unfortunatly, I can't seem to get PCI back working correctly on my
> > system, so I'd like to try this alternative approach.
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-users
--
Kobalt W.I.T.
Web & Information Technology
Brusselsesteenweg 152
1850 Grimbergen
Tel : +32 479 339 655
Email: info@xxxxxxxxxxxx
Attachment:
XenList-Network with double xenbr.png _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |
