This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] firewalls and Xen

On Tue, 2006-02-14 at 10:44 -0600, Daniel Goertzen wrote:
> FYI I am implementing a firewall using firehol in a domU.  It has 3 
> interfaces which are plugged into 3 bridges in my dom0 (internet, lan, 
> and dmz).  Only 2 of the bridges connect to physical ethernet interfaces 
> (internet, lan); the other one is meant for routing to dmz domU's only.  
> My setup is not complete but partial tests are showing good results.

On the two systems I setup running xen3 and a firewall, I found it made
much more sense to create a firewall domU with minimal OS, and do all my
iptables filtering there.  Just like Daniel describes, I created a
bridge for each physical interface, connect the physical interface and
firewall domU to each those bridges, then create one additional bridge
(my XEN DMZ) to which I attached the firewall, dom0's veth0 and all
other domU's.

+-------+   +---------+               +-----------+
| peth0 |---| br0eth0 |       +-------|veth0 dom0 |
+-------+   +---------+       |       +-----------+
                 |            |
            +--eth0--+        |
            |        |        |
            |        e        |
            | fire1  t   +--------+   +-----------+
            | domU1  h---| br2dmz |---|eth0 domU2 |
            |        2   +--------+   +-----------+
            |        |        |
            +--eth1--+        |
                 |            |
+-------+   +---------+       |       +-----------+
| peth1 |---| br1eth1 |       +-------|eth0 domU3 |
+-------+   +---------+               +-----------+

From the firewall domU's perspective, it doesn't see any bridges, just
eth0, eth1, etc.  This makes setting up firewall/nat rules much easier,
plus it's more secure, because you don't need all the packages in the
firewall domU that dom0 needs to run Xen.  Plus, we're not routing
traffic through dom0's IP stack (it just deals with bridging).  Since
dom0 is where all the physical network interfaces, bridges, and disk
devices are visible, it is the most critical system on the box, security
wise.  If someone gets into dom0, they have the keys to the kingdom.

By not routing any traffic through dom0, and keeping it behind the
firewall (or making it completely inaccessible from the network), you
reduce the risk that someone could access it and compromise your whole
network of systems.


Patrick Wolfe

email:   pwolfe@xxxxxxxxxxxxxx

Attachment: signature.asc
Description: This is a digitally signed message part

Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>