WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Ideal(istic) Xen firewall design

from [Marcus Brown] [Permanent Link][Original]
To: bgb@xxxxxxxxx
Subject: Re: [Xen-users] Ideal(istic) Xen firewall design
From: Marcus Brown <marcusbrutus@xxxxxxxxxxxxxxxx>
Date: Fri, 12 Aug 2005 14:04:12 +1000
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 12 Aug 2005 04:02:40 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1123815231.4815.57.camel@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <42FAC8B2.8070601@xxxxxxxxxxxxxxxx> <42FB20AB.2000906@xxxxxxxxxxxxxxxxxxxxxxx> <42FC02B7.5010605@xxxxxxxxxxxxxxxx> <1123815231.4815.57.camel@xxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Debian Thunderbird 1.0.2 (X11/20050602) 
Hi B.

B.G. Bruce wrote:

>>Option C-v2
>>===========
>>                            Internet
>>                               |
>>                          eth1 |
>>            ___________________|____________________
>>            |        __________|__________         |
>>            |        |     Firewall      |         |
>>Local eth0 =|========|    (Shorewall)    |=========|= eth2 DMZ (optional)
>>            |        |___________________|         |
>>            |             eth3| |eth4              |
>>            | ______________  | |  _______________ |
>>            | | Web Server |  | |  | iPaq Server | |
>>            | |  (Apache2) |  | |  | (Bluetooth) |=|= USB Host #1
>>            | |____________|  | |  |_____________| |  (for BT Dongle)
>>            |          eth0 \ | | / eth0           |
>>            | _______________\| |/                 |
>>            | | Mail Server | | |                  |
>>            | |  (Courier)  | | |                  |
>>            | |_____________| | |                  |
>>            |          eth0  \| |                  |
>>            |                 | |                  |
>>            |             br0 | | br1              |
>>            |        _________|_|_________         |
>>            |        |                   |         |
>>            |        |       dom0        |         |
>>            |________|___________________|_________|
>>
>>Here, it is hoped that the bridges will tie the interface names in
>>the Firewall domain, and still allow the domUs to be restarted.
>>    DETAILS:
>>        - eth0, eth1 and eth2 are physical devices hidden from dom0
>>        - USB Host #1 is also hidden from dom0
>>        - eth2, eth3, and eth4 are essentially DMZ zones as far
>>          far as the Firewall is concerned.
>>
>>This sort of thing had been my original plan, however I've so far been
>>unable to create workable bridges ... I'll keep trying.
>>(ie. How do I create br0 and br1 in dom0 without physical interfaces?)
>>For tighter control it might be an idea to create another vif from
>>the dom0 to the Firewall _just_ for dom0 time updates, etc.
>>
>>
>
>Sorry, haven't had time to follow the thread completely, but I've done
>something similar to your C-V2 (using the dummy driver (dummy0-3).  Have
>you thought of/tried this?
>
Thought _and_ tried it without much success.
Mind you that was a week or so ago, and I've learnt more since.
Problems/questions I had included:
    - how do I use multiple dummies! (*snicker*)
       ie. dummy0 and dummy1
       EDIT: scrub that :
          modprobe dummy -o dummy0
          modprobe dummy -o dummy1
    - is there any advantage/reason to try vlan or tun/tap devices?

I understand from various postings that I need to manually create the
extra bridges before bringing up the Firewall domain.
I guess I could do that in a number of ways,
but is there a 'Xen approved' method?

For a bridge that I want dom0 to communicate on, I assign an IP to that
bridge.
However for bridges that dom0 has nothing to do with I should not assign
IPs.
Correct?
If this is the case, why do I need a dummy at all?

So the diagram ends up being like this, maybe????

Option C-v3
===========
                               Internet
                                  |
                                eth1
            ______________________|_______________________
            |        _____________|_______________       |
            |        |        Firewall           |       |
Local eth0 =|========|       (Shorewall)         |=======|= eth2 DMZ (optional)
            |        |___________________________|       |
            |               eth4  |  eth5                |
            | ______________  | eth3  |  _______________ |
            | | Web Server |  |   |   |  | iPaq Server | |
            | |  (Apache2) |  |   |   |  | (Bluetooth) |=|= USB Host #1
            | |____________|  |   |   |  |_____________| |  (for BT Dongle)
            |          eth0 \ |   |   | / eth0           |
            | _______________\|   |   |/                 |
            | | Mail Server | |   |   |                  |
            | |  (Courier)  | |   |   |                  |
            | |_____________| |   |   |                  |
            |          eth0  \|   |   |                  |
            |                 |   |   |                  |
            |                br1  |  br2                 |
            |                 !  br0  !                  |
            |        _____________|_____________         |
            |        |                         |         |
            |        |          dom0           |         |
            |________|_________________________|_________|


Thanks for the hint, I was just compiling vlan support into dom0 when
your message arrived, so you've probably saved me from wandering
further into a pointless excercise! :)
I'll start playing with dummies instead! lol
Better have a coffee first, in case I spit ... I'll quit now :)

Marcus.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Ideal(istic) Xen firewall design, Marcus Brown
Next by Date:  Re: [Xen-users] Ideal(istic) Xen firewall design, Dirk H. Schulz
Previous by Thread:  Re: [Xen-users] Ideal(istic) Xen firewall design, Marcus Brown
Next by Thread:  Re: [Xen-users] Ideal(istic) Xen firewall design, Dirk H. Schulz
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy