xen-users

[Top] [All Lists]

Re: [Xen-users] Network Interface Problems for DomU Firewall

from [Christian Fischer]

[Permanent Link][Original]

To:	xen-users@xxxxxxxxxxxxxxxxxxx
Subject:	Re: [Xen-users] Network Interface Problems for DomU Firewall
From:	Christian Fischer <Christian.Fischer@xxxxxxxxxxxxxxxxxxx>
Date:	Fri, 31 Jul 2009 21:46:04 +0200
Delivery-date:	Fri, 31 Jul 2009 12:47:13 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<60597.216.14.179.29.1249066493.squirrel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<EA10CC3F1A7440908E41C48A2B4C0E9B@JensenLaptop> <7207d96f0907292040i5d8639abn6ad9604264707e20@xxxxxxxxxxxxxx> <60597.216.14.179.29.1249066493.squirrel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	KMail/1.9.9

On Friday 31 July 2009, Tom Jensen wrote:
> 
[snip]
>
> As I mentioned before, my ultimate goal is to configure a standard three
> interface firewall within the DomU.  Most of the information I have found
> on the subject suggests the most secure way to accomplish this is to
> dedicate the interface connected to the Internet to the DomU using PCI
> passthrough.  The other two interfaces (DMZ & LAN) would be virtual
> interfaces bridged to the Dom0.  I am open to other concepts for creating
> a firewall DomU if anyone cares to share their configurations.

How about to have the firewall inside dom0? If it hasn't more to do than 
routing/firewalling i think a separate domU is a bit blown.

You could replace /etc/xen/scripts/network-bridge with a dummy script (always 
exit 0, no interface renaming), create simple bridges eg. brnet (bridge 
interfaces eth0), brlan/brdmz (no bridge interfaces, no ip) and add the domU 
vifs to these bridges.

You could now firewall inside the bridges.

Have a look at http://www.shorewall.net/manpages/shorewall-hosts.html if you 
use it. Works fine.

Christian

>
> > --
> > Fajar
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

-- 
"Without music to decorate it, time is just a bunch of boring production
 deadlines or dates by which bills must be paid."
        --- Frank Vincent Zappa

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-users] Network Interface Problems for DomU Firewall, Thomas Jensen Re: [Xen-users] Network Interface Problems for DomU Firewall, Peter Müller RE: [Xen-users] Network Interface Problems for DomU Firewall, Thomas Jensen RE: [Xen-users] Network Interface Problems for DomU Firewall, Thomas Jensen Re: [Xen-users] Network Interface Problems for DomU Firewall, Fajar A. Nugraha Re: [Xen-users] Network Interface Problems for DomU Firewall, Tom Jensen Re: [Xen-users] Network Interface Problems for DomU Firewall, Christian Fischer <=

Previous by Date:	Re: [Xen-users] Network Interface Problems for DomU Firewall, Tom Jensen
Next by Date:	[Xen-users] Problem getting PCI devices hidden from Dom0, Grahame Kelly
Previous by Thread:	Re: [Xen-users] Network Interface Problems for DomU Firewall, Tom Jensen
Next by Thread:	[Xen-users] OT: OEM Win2k3 as domU License question, James Pifer
Indexes:	[Date] [Thread] [Top] [All Lists]