[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?

To: Adam Goryachev <mailinglists@xxxxxxxxxxxxxxxxxxxxxx>
From: aleph2@xxxxxxxxxxx
Date: Wed, 22 Apr 2015 02:14:26 +0000
Cc: xen-users@xxxxxxxxxxxxx
Delivery-date: Wed, 22 Apr 2015 13:25:48 +0000
List-id: Xen user discussion <xen-users.lists.xen.org>

Hi Adam

On 2015-04-22 01:26, Adam Goryachev wrote:

I'd appreciate a little help in narrowing this down to the bestapproach, choosing simple where there's a choice.
IMHO, use two physical ethernet ports on the dom0, and configure each
of them as a bridge (your dom0 Linux OS will be used for this).

That's easy enough. This approach, by NOT passing the interfacesthrough to the DomU with PCI-passthrough, can get bottlenecked at thebridge due to the DomU<->Dom0 traffic, no?

I've seen it discussed, but don't have any sense for the numbers --load, throughput, etc. I.e., is it something I should worry about?

Physically, you will connect one of them to your LAN and the other to
your WAN (router/modem/etc).

The LAN port is bridged to xenbr0 and the wan port to xenbr1
In dom0, xenbr0 is configured with an IP address the same as any
normal server on your LAN (eg 192.168.1.12/24) and xenbr1 has no IP
address, and is not configured/used.
You configure to pass xenbr0 and xenbr1 to the domU as eth0 and eth1
Within domU you use eth0 as your normal LAN interface (eg
192.168.1.1/24), and configure eth1 as your WAN interface (external IP
address, or PPPoE or whatever is needed). Configure your firewall the
same as if this was a physical server with two ethernet devices.
Nothing special at all.

In this scenario, does the DomU need to be PV, HVM, or either? I guessthe answer depends on if the passed-through bridges need paravirtdrivers?

There are a number of HVM-only (or, at least not easily PV'd) firewallappliances which might be nice to use. Wondering out loud aboutperformance issues of firewall in DomU ...

If you use other domU's then you will only pass xenbr0 to them, and
use only eth0 within the domU.


Got it.

To complicate things further ...

Ok, wrote that down for now. And gonna try to NOT complicate thingsfurther for a bit :-)

I hope this is helpful.


Great start, thanks.

-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!

$24.95 ONETIME Lifetime accounts with Privacy Features!15GB disk! No bandwidth quotas!Commercial and Bulk Mail Options!

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

Follow-Ups:
- Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
  - From: Adam Goryachev

References:
- [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
  - From: aleph2
- Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
  - From: Adam Goryachev

Prev by Date: [Xen-users] Xen Security Advisory 132 (CVE-2015-3340) - Information leak through XEN_DOMCTL_gettscinfo
Next by Date: Re: [Xen-users] xen 4.3.3 -> 4.4.1 after dom0 upgrade : domU refuses to boot
Previous by thread: Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
Next by thread: Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.