|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] Firewalling Xen?
lists@xxxxxxxxxxxxx wrote:
I have the following Xen config and I was wondering what you'd
recomend as a firewall setup.
Dom0 - 198.175.98.50
Dom1 - 198.175.98.63 (Bridged)
Dom2 - 198.175.98.62 (Bridged)
Dom3 - 198.175.98.61 (Bridged)
Dom4 - 198.175.45.12 (Bridged)
I'm wondering how to setup a firewall for Dom0 when all traffic for
the DomUs go 'through' it. How should the firewall take this into
account?
On a side note, I read a more secure way was to have the 'primary'
Dom to be a DomU firewall to avoid exploits to the Dom0 but I can't
find proper documentation for such a setup. Can someone point me in
the right direction please?
I'll do the second one first as a) it's shorter, and b) if I do it at
the end it's likely to get missed !
I think what you are referring to is the practice of making a DomU
have the only connection to the outside, and for it to run as a two
port firewall. You can either configure a second bridge to get the
external traffic to the DomU, or hide the PCI device and make it a
native hardware device available only to the DomU - the latter is
what I have at home, and also I believe what Tom Eastep (author of
the Shorewall package) runs for his Shorewall hosting.
For a firewall, I can recommend Shorewall (http://www.shorewall.net)
which I believe takes a good position between low level (native
iptables) and too restrictive.
Now, to the first bit :
I have another server that is setup something similar to your setup.
I hand crafted an init file to configure a few iptables rules to
protect Dom0 - it's pointless trying to run a full firewall as a) I'm
not sure anyone really understands networking fully under Xen, and b)
the network keeps changing when guests start or stop.
My init script is (it actually has more as the machine has multiple
networks, but I've ripped out all but one) :
#! /bin/sh
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $networking
# Required-Stop: $networking
# Should-Start:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Firewall - home grown bash/iptables script
# Description: Script to build basic firewall directly with
/sbin/iptables
### END INIT INFO
set -e
. /lib/lsb/init-functions
ExtAdd=a.b.c.d
case "$1" in
start)
log_daemon_msg "Starting firewall"
# Clear /sbin/iptables first
/sbin/iptables -F
# Set traffic not addressed to us to no-track
# t:raw c:prerouting
/sbin/iptables -t raw -A PREROUTING --in-interface ethext
--dst ! $ExtAdd -j NOTRACK
# filter:inbound
# t:filter c:inbound-ext
/sbin/iptables -t filter --new inbound-ext
# allow established streams (ie outbound initiated connections)
/sbin/iptables -t filter -A inbound-ext -m state --state
RELATED,ESTABLISHED -j ACCEPT
# allow icmp
/sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -p
icmp --icmp-type 8 -j ACCEPT
/sbin/iptables -t filter -A inbound-ext -p icmp --icmp-type 8
-m limit --limit 6/minute --limit-burst 10 -j ACCEPT
/sbin/iptables -t filter -A inbound-ext -p icmp --icmp-type 8 -j DROP
/sbin/iptables -t filter -A inbound-ext -p icmp -j ACCEPT
# allow ssh
/sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -p
tcp --dport 22 -j LOG --log-level info --log-prefix "FW net2fw"
/sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -p
tcp --dport 22 -j ACCEPT
# drop everything else
/sbin/iptables -t filter -A inbound-ext -j DROP
# filter: send inbound packets to us to chain inbound-[ext|bak|int]
# t:filter c:INPUT
# policy allow
/sbin/iptables -t filter -A INPUT --dst $ExtAdd -j inbound-ext
log_end_msg 0
;;
stop)
log_daemon_msg "Stopping firewall"
/sbin/iptables -F
/sbin/iptables -F -t raw
/sbin/iptables -X inbound-ext
log_end_msg 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
esac
exit 0
Now, what I believe this does is :
Not track any traffic coming in on the external interface that isn't
addressed to us.
Permits certain inbound traffic.
Blocks everything else.
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|