I think that a better solution is to hide the pethX from dom0 and export
them to the router domU, because in xen 3 you are limited to 3 interfaces
per domU and you don't get the overhead of the bridging code. The
configuration files will be much simpler also.
I think it was pciback.hide=(pcidev0)(...)(pcidevN) on the dom0 kernel
command line and
pci=['pcidev0','...','pcidevN'] on the domU config file.
Note that you must have drivers for the hardware in the domainU
On Tue, 14 Feb 2006, Patrick Wolfe wrote:
On Tue, 2006-02-14 at 10:44 -0600, Daniel Goertzen wrote:
FYI I am implementing a firewall using firehol in a domU. It has 3
interfaces which are plugged into 3 bridges in my dom0 (internet, lan,
and dmz). Only 2 of the bridges connect to physical ethernet interfaces
(internet, lan); the other one is meant for routing to dmz domU's only.
My setup is not complete but partial tests are showing good results.
On the two systems I setup running xen3 and a firewall, I found it made
much more sense to create a firewall domU with minimal OS, and do all my
iptables filtering there. Just like Daniel describes, I created a
bridge for each physical interface, connect the physical interface and
firewall domU to each those bridges, then create one additional bridge
(my XEN DMZ) to which I attached the firewall, dom0's veth0 and all
other domU's.
+-------+ +---------+ +-----------+
| peth0 |---| br0eth0 | +-------|veth0 dom0 |
+-------+ +---------+ | +-----------+
| |
+--eth0--+ |
| | |
| e |
| fire1 t +--------+ +-----------+
| domU1 h---| br2dmz |---|eth0 domU2 |
| 2 +--------+ +-----------+
| | |
+--eth1--+ |
| |
+-------+ +---------+ | +-----------+
| peth1 |---| br1eth1 | +-------|eth0 domU3 |
+-------+ +---------+ +-----------+
From the firewall domU's perspective, it doesn't see any bridges, just
eth0, eth1, etc. This makes setting up firewall/nat rules much easier,
plus it's more secure, because you don't need all the packages in the
firewall domU that dom0 needs to run Xen. Plus, we're not routing
traffic through dom0's IP stack (it just deals with bridging). Since
dom0 is where all the physical network interfaces, bridges, and disk
devices are visible, it is the most critical system on the box, security
wise. If someone gets into dom0, they have the keys to the kingdom.
By not routing any traffic through dom0, and keeping it behind the
firewall (or making it completely inaccessible from the network), you
reduce the risk that someone could access it and compromise your whole
network of systems.
--
Patrick Wolfe
email: pwolfe@xxxxxxxxxxxxxx
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|