WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Firewalling Xen?

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Firewalling Xen?
From: Stephen Liu <satimis@xxxxxxxxx>
Date: Wed, 17 Dec 2008 18:14:24 +0800 (CST)
Delivery-date: Wed, 17 Dec 2008 02:15:04 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=gLpJgrHvd20nYHprCbjltzKdVyqY+TDFrWUfmRXk9rcUWLHGv/AGOoEbbCAeWjodrvSti2apR5Gjv/MKV/40lbPkX4krL4JrUnw4wXACERi8tYuQNMlwrr8BnOJiYrDkw7AkQIHfqioDrbmTF9+DYafV+vVAdp4AQ67RQbIaAe4=;
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4948B30D.8000100@xxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi Andris,


Thanks for your advice.


The setup of your Xen box is quite similar to mine.  The whole system
is still under testing NOT for production yet.


> I set up my servers this way and prefer it as most flexible solution
> for me.
> 
> Dom0 (no firewall, firewalled externaly by ISP's firewall) -
> independent 
> host machine, no special setup for easy replacement if fails


For testing convenience no firewall is running on Dom0.  But after
testing completed I'll install firewall on Dom0.


> DomU1 (Dedicated shorewall firewall machine doing nat, load
> balancing, 
> proxying etc.  for another DomU's in virtual LAN)

Same as here DomU1 is only for routing with shorewall running also
doing proxying.


> DomU'sX (all inside LAN, behind DomU1 firewall)

Also same as here all DomUs are protected behind the firewall of DomU1.
 The whole system is working nicely on Intranet (local network).

My further test is to allow other PCs on Internet to connect the DomUs
remotely to fetch mails also via DomU1 by proxying.  I don't run a
separate proxy server here.  In such case I wonder whether each DomU
needs its own firewall?  Thanks


B.R.
Stephen L


> DomU'sY (proxyarped in DMZ zone, looks like standalone machines from 
> internet)
> 
> So everything is bridged (NET,LAN,DMZ bridges)
> 
> Very flexsible, I can replace any component and my DomU's are not
> binded 
> to Dom0. I can move DomUs easily whithin my Dom0us.
> 
> 
> 
> andris
> 
> 
> Stephen Liu wrote:
> > --- Grant McWilliams <grantmasterflash@xxxxxxxxx> wrote:
> >
> >   
> >> Grant McWilliams
> >>
> >> Some people, when confronted with a problem, think "I know, I'll
> use
> >> Windows."
> >> Now they have two problems.
> >>
> >>
> >>
> >> On Tue, Dec 16, 2008 at 9:01 AM, Thomas Goirand
> <thomas@xxxxxxxxxx>
> >> wrote:
> >>
> >>     
> >>> lists@xxxxxxxxxxxxx wrote:
> >>>       
> >>>> I'm wondering how to setup a firewall for Dom0 when all traffic
> >>>>         
> >> for the
> >>     
> >>> DomUs go 'through' it.
> >>>
> >>> Hi,
> >>>
> >>> as we do commercial VPS hosting with xen and our own open source
> >>> management interface, we have designed a small anti-DoS firewall
> to
> >>> setup in your dom0. It does nothing spectacular, but it helps
> >>>       
> >> against
> >>     
> >>> ssh dictionary attacks, and other very common flood types that
> >>>       
> >> might
> >>     
> >>> hurt your server: ping, syn, etc.
> >>>
> >>>
> >>>
> >>>       
> >
>
http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen.init;h=5e4df2e46e3a872a2d73ada77e24e8bb242f8b6b;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa
> >   
> >>> I'd be happy to have contributions in this small script that is
> by
> >>>       
> >> the
> >>     
> >>> way very simple to extend (just add few functions for yourself
> and
> >>> share, then anybody can enable/disable them with ease.
> >>>
> >>> Thomas
> >>>
> >>>
> >>>       
> >> Don't you mean this ;-)
> >>
> >>
> >>     
> >
>
http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen-firewall.init;h=16139921d6efd6fc2e407f7d80b11fae97befdf9;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa
> >   
> >> A bit off topic but can dtc-xen control it's users in a way that
> you
> >> can
> >> assign an admin per VM? What I'm looking for is to have each
> student
> >> manage
> >> his and only his domU.
> >>
> >> Grant McWilliams
> >>     
> >
> >
> > Hi folks,
> >
> >
> > Just came across this thread.  The setup of the Xen box here is as
> > follows;
> >
> >
> > DomO - a workstation for remote setup/config DomU
> > DomU1 - mail server for routing (headless)
> > DomU2 - mail server for domain1 (headless)
> > DomU3 - mail server for domain2 (headless)
> > DomU4 - mail server for domain3 (headless)
> > etc.
> >
> >
> > Firewall is only running on domU1.  I'm running virtual domains,
> with
> > all domains pointing at the same public IP (one public IP).  All
> ports
> > on router are forwarded to the local IP of DomU1.  Do I need to
> have
> > firewall installed on each DomU?  TIA
> >
> >
> > B.R.
> > Stephen L
> >
> > Send instant messages to your online friends
> http://uk.messenger.yahoo.com 
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-users
> >
> >   
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
> 


Send instant messages to your online friends http://uk.messenger.yahoo.com 

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>