WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] Ideal(istic) Xen firewall design

To: "'Marcus Brown'" <marcusbrutus@xxxxxxxxxxxxxxxx>, "'Dirk H. Schulz'" <dirk.schulz@xxxxxxxxxxxxx>
Subject: RE: [Xen-users] Ideal(istic) Xen firewall design
From: "Mike Tierney" <miket@xxxxxxxxxxxxxxxx>
Date: Mon, 15 Aug 2005 09:34:10 +1200
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Sun, 14 Aug 2005 21:29:07 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <42FF0CBD.1070507@xxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcWgsWmGhgpa8MhASTiwhv4uOdKvYAAZD9Ag
> Marcus Brown wrote:
> Hi Dirk,
> 
> Dirk H. Schulz wrote:
> > Hi Marcus,
> > 
> > thanks for so much info!
> > 
> > Just a short question before I start digging into your 
> configs: What 
> > do you gain by running the firewall inside a privileged 
> guest system 
> > instead of inside dom0?
> > 
> 
> It's modular, restartable, replaceable, ...
> (ie. I can reboot the firewall without rebooting all the 
> domUs) errr oh, and someone gaining root access to the 
> firewall won't be able to play with xend, or the filesystems 
> of the domUs.
> 
> I'm sure there are other good reasons :)

Yep, like if you are consolidating an existing "bunch" of servers you can
(probably) keep your current set of firewall rules that your current
physical firewall uses.

I'm currently looking at using Xen to consolidate our firewall, front end
(mail, dns, proxy), application & file servers all into the one box (3 of
those sit 98% idle.....). The complex firewall rules (5 diff zones) are
built with fwbuilder (www.fwbuilder.org) and so I can probably just rename
the ethernet devices and hit "compile" to generate the iptables rules for
the new Xen firewall. Hopefully this thread has given me enough info to
handle all the bridging! :)

But it is still tempting to just do away with the seperate firewall vm and
do all the firewalling in Dom0!
 
> I've got all my domains (except dom0) on lvm+raid so 
> snapshotting is a great way of testing and making backups.
> 
> This is just the start, though ... more ideas being worked on atm.
> 
> Marcus.
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
> 


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users