WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Firewalling Xen?

To: Dustin.Henning@xxxxxxxxxxx
Subject: Re: [Xen-users] Firewalling Xen?
From: "Grant McWilliams" <grantmasterflash@xxxxxxxxx>
Date: Mon, 15 Dec 2008 13:50:56 -0800
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 15 Dec 2008 13:52:29 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=0UZspkttSZvUEQkQG6Qfdns+Q0hNzqVN4KU7jHGCcJg=; b=PLt0jIKeYk5d5y14rcq1mI2D6kSJVFFqBL14T2djW+c81GQ9dVMqFryElYJUMhJVJ3 jXYXPC9a+IPerxIQ3wHfUsuh+11fMvzM3PYkG/MWdepLQPQF6mlU2akWuD5iPjYBuaCE 8HNoDs8lw9E7P8LymYYdqTJyU2wMNa5vTgYgc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=b3QKh1p2WTXmU3aAHqGZeYYDzJQYOCk1hGaLdrTtt8yBLvnyHo6xNGm17GI/wTVHT1 3tkQg9xtioOX3PBoYCiVrjSDBENKjj2PMYDmxr+rIu0sC2nbRJVr6W3Dhzh5LWSstHQd cUVE22pfUzBJ/ENOyQSnBWK6UgBWhOGHyn8Ag=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <8857602949884301371@unknownmsgid>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <14915851.141229329317606.JavaMail.root@xxxxxxxxxxxxxxxxxx> <a06240806c56c63b1278d@xxxxxxxxxxxxxxxxxxxxxx> <ed123fa30812151243x662cb98fpdcc57d087271049b@xxxxxxxxxxxxxx> <8857602949884301371@unknownmsgid>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx

On Mon, Dec 15, 2008 at 1:05 PM, Dustin Henning <Dustin.Henning@xxxxxxxxxxx> wrote:
       In case it is relevant, I simply allow all traffic to traverse the forwarding chain when it is headed to a bridged destination.  I then simply run a firewall on dom0 and each domU as if they were all individual machines.  This seems to me like the way to go short of doing something more drastic with hardware isolation, but as a lot of people prefer to have much more complex firewall setups, it is certainly likely that at least some of them have good reason.
       Dustin


Keep in mind that this method means you'll be managing multiple firewalls. In my case it would be about 30 firewalls total. By separating the internal private network from the real network you can run with one firewall. However, having said that you can only forward each outside port to one port on one domU. This means if you have multiple web servers you can't forward the external port 80 to more than one internal possibly making it messy for external clients accessing the virtual machines by requiring them to access services on non-standard ports. In my setup this is fine because I only forward one port anyway (ssh) to allow remote logins.

In summary:
To simulate a traditional open network where all virtual hosts (and all ports) are accessible by all external clients you will want to just make sure the peth0 physical network device is added to the bridge that Xen uses for domUs. This will require you to have firewalls on all DomUs in addition to a firewall on Dom0 as Dustin has outlined.

To similate a private network where all traffic is routed through a firewall you'll want to use my original suggestion or similar. This entails setting up eth0 on Dom0 as a connection to the outside world and dummy0 as a connection to the Xen bridge where the DomUs reside. This will require you to configure a firewall on Dom0 that will filter and pass traffic from an externally accessible port to the desired port of the DomU in question.


Grant McWilliams

Some people, when confronted with a problem, think "I know, I'll use Windows."
Now they have two problems.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users