WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Network Interface Problems for DomU Firewall

from [xensource] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Network Interface Problems for DomU Firewall
From: xensource@xxxxxxxxxx
Date: Sat, 1 Aug 2009 20:10:45 +0200 (CEST)
Delivery-date: Sat, 01 Aug 2009 11:13:48 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <23875531.71249149957738.JavaMail.root@akira>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi,

I ran with such a config for about 3 years on my home network without problem :
- Linux with shorewall in a domU
- PCI pass through for the ethernet card connected to internet.
- Two bridges : br-dmz and br-loc configured at the OS level on dom0. (disabled the network-bridge script).
- As all my dmz host were domU, there was no physical interface linked to the br-dmz bridge.
- All guests paravirtualized. (no virtualization support in my CPU at that time).

Nothing to say, this just worked. AFAIR, I had some problems with the pci passthrough that I solved by using a different brand for the ethernet card connected to internet. This is probably fixed now.

Some 5 months ago, I had to migrate to KVM/libvirt because of lack of support for ivtv and nvidia in a xen dom0. I had to use a bridge for the connection to internet interface, this works too.

François.


----- Original Message -----
From: "Christian Fischer" <Christian.Fischer@xxxxxxxxxxxxxxxxxxx>
To: xen-users@xxxxxxxxxxxxxxxxxxx
Sent: Friday, 31 July, 2009 21:46:04 GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna
Subject: Re: [Xen-users] Network Interface Problems for DomU Firewall

On Friday 31 July 2009, Tom Jensen wrote:
>
[snip]
>
> As I mentioned before, my ultimate goal is to configure a standard three
> interface firewall within the DomU.  Most of the information I have found
> on the subject suggests the most secure way to accomplish this is to
> dedicate the interface connected to the Internet to the DomU using PCI
> passthrough.  The other two interfaces (DMZ & LAN) would be virtual
> interfaces bridged to the Dom0.  I am open to other concepts for creating
> a firewall DomU if anyone cares to share their configurations.

How about to have the firewall inside dom0? If it hasn't more to do than
routing/firewalling i think a separate domU is a bit blown.

You could replace /etc/xen/scripts/network-bridge with a dummy script (always
exit 0, no interface renaming), create simple bridges eg. brnet (bridge
interfaces eth0), brlan/brdmz (no bridge interfaces, no ip) and add the domU
vifs to these bridges.

You could now firewall inside the bridges.

Have a look at http://www.shorewall.net/manpages/shorewall-hosts.html if you
use it. Works fine.

Christian

>
> > --
> > Fajar
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users



--
"Without music to decorate it, time is just a bunch of boring production
 deadlines or dates by which bills must be paid."
        --- Frank Vincent Zappa

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Problem getting PCI devices hidden from Dom0, Jeroen Groenewegen van der Weyden
Next by Date:  Re: [Xen-users] dom0 unable to launch domU, Olivier B.
Previous by Thread:  Re: [Xen-users] Problem getting PCI devices hidden from Dom0, Jeroen Groenewegen van der Weyden
Next by Thread:  Re: [Xen-users] Network Interface Problems for DomU Firewall, Fajar A. Nugraha
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy