Hi Jeroen,
Jeroen Kleijer wrote:
However, the thing I'm most interested in would be transparant network
bridging like a firewall bridge where the bridging host (dom0) has no
exposed IP address to the outside world and is only accessible through
the console or a completely separate management interface (eth1, not
accessible from any of the domU's)
Since dom0 has no IP interface exposed to the outside but only acts as
a bridge from the outside to the domU's, that would make the dom0 a
bit more secure.
Absolutely. This is the setup I use myself. I have a two interface firewall in a
domU.
Would such a implementation be feasible or does the dom0 network
interface always have to have an IP stack for the bridging to work?
A network interface doesn't have to have an IP address to be in use, regardless
if it is connected to a bridge or not.
This is how I set up the interfaces on the dom0:
# egrep -v "^(#|$)" /etc/network/interfaces
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet static
address 192.168.221.4
netmask 255.255.255.0
gateway 192.168.221.2
Note that I don't even bother to mention eth1, the external interface. It
doesn't get an IP.
I followed this example:
<http://wiki.xensource.com/xenwiki/XenNetworking#head-7b845eda5e0154fecb98165adbd774f6168119d1>
... which recommended to create a custom network script:
# cat /etc/xen/scripts/my-network-script
#!/bin/sh
dir=$(dirname "$0")
"$dir/network-bridge" "$@" vifnum=0
"$dir/network-bridge" "$@" vifnum=1
... which is then used by xen:
# egrep -v "^(#|$)" /etc/xen/xend-config.sxp
(network-script my-network-script)
(vif-script vif-bridge)
(dom0-min-mem 196)
(dom0-cpus 0)
And finally, the firewall domU is configured like this:
# egrep -v "^(#|$)" /etc/xen/zack.cfg
kernel = '/boot/vmlinuz-2.6.18-5-xen-686'
ramdisk = '/boot/initrd.img-2.6.18-5-xen-686'
memory = '96'
root = '/dev/sda1 ro'
disk = [ 'phy:vg-james/zack-disk,sda1,w',
'phy:vg-james/zack-swap,sda2,w' ]
name = 'zack'
xen_shell = 'zack'
vif = [ 'mac=00:16:3e:92:7b:c5, bridge=xenbr0',
'mac=00:16:3e:a6:63:5d, bridge=xenbr1' ]
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'restart'
And don't forget to add "post-up ethtool -K <device> tx off" to the interface
stanzas in /etc/network/interfaces of the domU:s like this:
auto eth0
iface eth0 inet dhcp
post-up ethtool -K eth0 tx off
Good luck!
/Martin Leben
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
| 
Home