WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Ideal(istic) Xen firewall design

To: Marcus Brown <marcusbrutus@xxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] Ideal(istic) Xen firewall design
From: Andreas Seuss <mam04exx@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 11 Aug 2005 11:55:55 +0200
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 11 Aug 2005 09:54:12 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <42FAC8B2.8070601@xxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <42FAC8B2.8070601@xxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Debian Thunderbird 1.0.2 (X11/20050331)
Hi Marcus,

Marcus Brown wrote:

>Hi all,
>
>I've managed to setup a Xen firewall/server host.
>I used a design similar to one posted previously,
>except that my internal interfaces aren't bridged.
>It looks something like this (in my head;)):
>
>-------------------------------------------------------------------------------------------
>CURRENT SETUP
>=============
>            ______________________________________
>            |              dom0                  |
>            |        __________________          |
>            |        |   Firewall     |          |
>Local eth0 =|========|  (Shorewall)   |==========|= eth1 Internet
>            |        |________________|          |
>            |    vif2.0 |          | vif3.0      |
>            | __________|___     __|____________ |
>            | | Web Server |     | Mail Server | |
>            | |  (Apache2) |     |  (Courier)  | |
>            | |____________|     |_____________| |
>            |____________________________________|
>
>    DETAILS:
>     - Xen 2.0.7 stable
>     - dom0:
>        - 128MB RAM
>        - Debian sid (sid has ext2resize)
>        - boot and root on plain ext3 (no raid or lvm)
>        - striped swap on 2 drives (64MB + 64MB)
>        - all other filesystems on raid0+lvm
>        - eth0 and eth1 are hidden
>        - the domUs are autoloaded in order at boot time
>            using numbered links in /etc/xen/auto:
>                01-Firewall --> ../Firewall
>                02-WebServer --> ../WebServer
>                03-MailServer ..> ../MailServer         
>     - Firewall (!dom0)
>        - priviliged driver domain using eth0 and eth1
>        - exports backend network interfaces to domUs
>     - WebServer (domU)
>        - 80MB RAM, 64MB swap
>     - MailServer (domU)
>        - 64MB RAM, 64MB swap
>   
>    Before you get over excited about hardware, the host is a
>    P3/650 with 640MB RAM on an Asus P2B-VM with 2 x 3c905 nics,
>    2 x 4.3GB IDE, 1 x 6.4GB IDE, 1 x CD/DVD, and 1 x USB2.0 PCI.
>   
>    PROBLEMS:
>     - As dom0 has no network access, so I'm unable to update the
>        system clock using ntpdate. With the clocks of the domUs
>        being tied to the dom0 clock it is not possible to have
>        the time automatically updated.
>  
>
There was a discussion a few weeks ago about setting the time in domUs.
Quoting  Ian and Franck from the thread "[Xen-users] Setting the date
not working in xen":

"echo 1 > /proc/sys/xen/independent_wallclock
> ntpdate ntp0.oleane.net

independent_wallclock=1 on the kernel command line should fix this too."

As far as I understand, it is not what the xen architects had in mind,
but it seems to work.

>     - There are no hotplug events associated with the backend
>        network for the driver domain, so to bring the vif interfaces
>        up in the Firewall a 1 minute cron script checks vif2.0 & 3.0.
>        Crude.
>  
>
No idea here. Doesn't iptables allow to insert rules for interfaces that
aren't running yet?

>     - The domUs can not be restarted at will as the vifs created
>        in the Firewall are assigned new numbers.
>  
>
Let me see if I understand you, "you mean, that after an xm shutdown +
xm create your vif is no longer vif2.0 but for example vif4.0?". In this
case, try to append another option in the vif line in your domains
config file:

vif = [ 'mac=aa:00:00:56:0e:c4, bridge=xen-br0, vifname=e.g.websv' ]

This way your domU's vif will always have the same name. There are some
mroe interesting options to be found in /usr/lib/python/xen/xm/create.py .

I liked your ASCII drawings ;-). Hope I could help you a little.

Regards,

Andreas

>-------------------------------------------------------------------------------------------
>POSSIBLE SOLUTIONS
>==================
>To get around the problems above, would I be better off with dom0
>handling some/all bridging and networks (and ntpdate)? A few posts in the
>list have suggested something like this, but I can't see how it's done.
>I can think of a few possibilities, but so far have been unable to
>implement any of them (hence this verbose and messy post;)).
>
>Option A
>========
>            ________________________________________
>            |        ____________________          |
>            |        |    Firewall      |          |
>            |        |   (Shorewall)    |          |
>            |        |__________________|          |
>            |                | | |                 |
>            | ______________ | | | _______________ |
>            | | Web Server | | | | | Mail Server | |
>            | |  (Apache2) | | | | |  (Courier)  | |
>            | |____________| | | | |_____________| |
>            |           |    | | |    |            |
>            |           |    | | |    |            |
>            |        ___|____|_|_|____|___         |
>            |        |                   |         |
>Local eth0 =|========|       dom0        |=========|= eth1 Internet
>            |________|___________________|_________|
>
>
>    DETAILS:
>    - dom0
>       - eth0 and eth1 are associated with separate bridges which
>          are exported to the Firewall.
>       - backend network interfaces are exported to the domUs and
>          associated with an internal DMZ bridge (also exported to
>          the Firewall).
>
>Option B
>========
>            ________________________________________
>            |        ____________________          |
>            |        |    Firewall      |          |
>            |        |   (Shorewall)    |==========|= eth1 Internet
>            |        |__________________|          |
>            |                |   |                 |
>            | ______________ |   | _______________ |
>            | | Web Server | |   | | Mail Server | |
>            | |  (Apache2) | |   | |  (Courier)  | |
>            | |____________| |   | |_____________| |
>            |           |    |   |    |            |
>            |           |    |   |    |            |
>            |        ___|____|___|____|___         |
>            |        |                   |         |
>Local eth0 =|========|       dom0        |         |
>            |________|___________________|_________|
>
>    DETAILS:
>       - dom0 exports a bridge with eth0 to Firewall, and
>          a bridge with network backends to the domUs
>
>Option C
>========
>            ________________________________________
>            |        ____________________          |
>            |        |    Firewall      |          |
>Local eth0 =|========|   (Shorewall)    |==========|= eth1 Internet
>            |        |__________________|          |
>            |                  |                   |
>            | ______________   |   _______________ |
>            | | Web Server |   |   | Mail Server | |
>            | |  (Apache2) |   |   |  (Courier)  | |
>            | |____________|   |   |_____________| |
>            |           |      |      |            |
>            |           |      |      |            |
>            |        ___|______|______|___         |
>            |        |                   |         |
>                 |        |       dom0        |         |
>            |________|___________________|_________|
>
>
>    DETAILS:
>       - dom0 exports a network backend which is bridged
>          to domUs as they are brought up
>
>-------------------------------------------------------------------------------------------
>
>So far, Option C looks like a possibility ...
>however, as with this email, I got stuck :)
>
>Thanks for reading the preamble, now on to my question:
>
>QUESTION:
>I think I've explained what I want ... how do I do it?
>
>Marcus.
>
>
>_______________________________________________
>Xen-users mailing list
>Xen-users@xxxxxxxxxxxxxxxxxxx
>http://lists.xensource.com/xen-users
>
>  
>


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users