This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] Re: transparant (secure) bridge

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Re: transparant (secure) bridge
From: Martin Leben <ml060223@xxxxxxxx>
Date: Tue, 08 Apr 2008 21:14:20 +0200
Delivery-date: Tue, 08 Apr 2008 12:15:42 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <dad39cd60804080850l57e1fe3cj73a1fdbf0344830c@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <dad39cd60804080850l57e1fe3cj73a1fdbf0344830c@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird (Windows/20080213)
Hi Jeroen,

Jeroen Kleijer wrote:
However, the thing I'm most interested in would be transparant network
bridging like a firewall bridge where the bridging host (dom0) has no
exposed IP address to the outside world and is only accessible through
the console or a completely separate management interface (eth1, not
accessible from any of the domU's)

Since dom0 has no IP interface exposed to the outside but only acts as
a bridge from the outside to the domU's, that would make the dom0 a
bit more secure.

Absolutely. This is the setup I use myself. I have a two interface firewall in a domU.

Would such a implementation be feasible or does the dom0 network
interface always have to have an IP stack for the bridging to work?

A network interface doesn't have to have an IP address to be in use, regardless if it is connected to a bridge or not.

This is how I set up the interfaces on the dom0:

# egrep -v "^(#|$)" /etc/network/interfaces
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet static

Note that I don't even bother to mention eth1, the external interface. It doesn't get an IP.

I followed this example:
... which recommended to create a custom network script:

# cat /etc/xen/scripts/my-network-script
dir=$(dirname "$0")
"$dir/network-bridge" "$@" vifnum=0
"$dir/network-bridge" "$@" vifnum=1

... which is then used by xen:

# egrep -v "^(#|$)" /etc/xen/xend-config.sxp
(network-script my-network-script)
(vif-script vif-bridge)
(dom0-min-mem 196)
(dom0-cpus 0)

And finally, the firewall domU is configured like this:

# egrep -v "^(#|$)" /etc/xen/zack.cfg
kernel  = '/boot/vmlinuz-2.6.18-5-xen-686'
ramdisk = '/boot/initrd.img-2.6.18-5-xen-686'
memory  = '96'
root    = '/dev/sda1 ro'
disk    = [ 'phy:vg-james/zack-disk,sda1,w',
            'phy:vg-james/zack-swap,sda2,w' ]
name    = 'zack'
xen_shell = 'zack'
vif  = [ 'mac=00:16:3e:92:7b:c5, bridge=xenbr0',
         'mac=00:16:3e:a6:63:5d, bridge=xenbr1' ]
on_poweroff = 'destroy'
on_reboot   = 'restart'
on_crash    = 'restart'

And don't forget to add "post-up ethtool -K <device> tx off" to the interface stanzas in /etc/network/interfaces of the domU:s like this:

auto eth0
iface eth0 inet dhcp
        post-up ethtool -K eth0 tx off

Good luck!
/Martin Leben

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>