WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Firewall in a guest domain?

from [Mark Williamson] [Permanent Link][Original]
To: "Chris de Vidal" <Chris@xxxxxxxxxx>
Subject: Re: [Xen-users] Firewall in a guest domain?
From: Mark Williamson <mark.williamson@xxxxxxxxxxxx>
Date: Wed, 20 Jul 2005 00:38:11 +0100
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 19 Jul 2005 23:35:26 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <62372.63.95.64.254.1121811417.squirrel@xxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Organization: University of Cambridge
References: <15907.63.95.64.254.1121792062.squirrel@xxxxxxxxxxxx> <200507191817.37628.mark.williamson@xxxxxxxxxxxx> <62372.63.95.64.254.1121811417.squirrel@xxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.8 
> I guess what I am asking is if I can install for instance IPCop on domain3
> and have it protect domains 0-9 or if I need to as you say run IPTables on
> domain0 to restrict the guests... can I filter all traffice through dom3
> or am I required to filter it through dom0 if I want any kind of
> filtering?

Ah well...

Here are some (not all) possible configurations, in increasing order of 
complexity and theoretical security:

* Basic system, no firewalling, as the default.
* Add IPTables rules in dom0 to protect itself from the guests and outside 
world, and protect and regulate the guests.
* Add IPTables in the domUs to protect themselves.  This could be at the 
discretion of the users.
* Dedicate a physical device to a "firewall domain" and have it filter on that 
interface for all the other domains.

The last seems closest to what you're proposing, there are a few people doing 
this with success, although it's not as user friendly as it could be.

A workaround to assigning devices would be to bridge the ethernet device into 
a guest, then have it filter at the IP (and above) level before delivering to 
the other domains.  This would probably be a bit fiddly to set up but I think 
people have done this too.

Cheers,
Mark

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Firewall in a guest domain?, Chris de Vidal
Next by Date:  Re: [Xen-users] Domain0 memory requirements?, John Fairbairn
Previous by Thread:  Re: [Xen-users] Firewall in a guest domain?, Chris de Vidal
Next by Thread:  Re: [Xen-users] Firewall in a guest domain?, Mike Hoesing
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy