WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Re: Setting up firewall as Dom-U

To: "xen-users@xxxxxxxxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] Re: Setting up firewall as Dom-U
From: "Gordon McLellan" <gordonthree@xxxxxxxxx>
Date: Sat, 12 Apr 2008 14:16:14 -0400
Delivery-date: Sat, 12 Apr 2008 11:16:44 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=aEMdbF4sJ8RDh+sgImLJX0yQ/M+Px3JJ9eOrClu9GgU=; b=rKJD8JfdGQI2cww2/ubYwzRvamzH4btfoT8kzORvdBoNnPmK6v8plXDr70DCepwqHvTgva/chv8gBy8ihv4yLes4CmU0jJXrNXS4AZZxi17dEV+Ft0jmYiv+VOYO5Iy/rV2wqwkMC7H0/a4k0eBbs6EsenCzlRvdPI4ZPBa6LIA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pn7TjSUWk56KTu95tSTGelLjoju/X7SFIfy1Gl8sWLBSWMdJ0Dx5CVJOhSA5odDhe6NY697T5ONnrwcTWUV0+4llsiIKAbrAk8p5YWRwdelpOtW2KdsPcda7RWhxwapzQj8USF0F07cKzoImwmTVaSABE01/1EVsoFxUeuTDmV4=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <1C8CF1EA1A5B5940B81B0710B2A4C93856C03FE2DC@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <1C8CF1EA1A5B5940B81B0710B2A4C93856C03FE2DB@xxxxxxxxxxxxxxxxxxxxxxx> <ftpspo$920$1@xxxxxxxxxxxxx> <1C8CF1EA1A5B5940B81B0710B2A4C93856C03FE2DC@xxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
I have a DomU firewall, running Astaro Security Gateway as a hvm.   My
base OS / dom0 is Centos 5.1.  I have a total of four ports in the box
now, two built in and two on a pci-e card.  I have them all defined in
/etc/sysconfig/network-scripts, but only eth0 has an ip address, or is
set to come up at boot.

The xend network scripts take care of bring up the other interfaces,
clearing their mac addresses and adding them to bridges.

# cat ifcfg-eth0
# Intel Corporation 80003ES2LAN Gigabit Ethernet Controller (Copper)
DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.2.255
IPADDR=192.168.2.8
NETMASK=255.255.255.0
NETWORK=192.168.2.0
ONBOOT=yes

# cat ifcfg-eth2 (also eth1 and eth3)
# Intel Corporation 82571EB Gigabit Ethernet Controller
DEVICE=eth2
ONBOOT=no
BOOTPROTO=none

The firewall is bound to 4 bridge devices, three physical interfaces
and a fourth which is bound to a dummy interface.  The fourth bridge
(xenbr3) provides a DMZ for some of my virtual machines to network
with.  They have limited internet acccess and exposed ports, without
having access to my internal lan.

In the HVM, Astaro just sees four physical ethernet interfaces, it is
oblivious to what's going on behind the scenes.  One interface
connects directly to my cable modem, one to wireless access point, the
third to my internat lan.

Gordon

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users