Re: Bridging firewall? - Nicholas Lee

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nicholas Lee <nic-lists@plumtree.co.nz>
To: Matthieu PATOU <matxen@matws.net>
Cc: xen-devel@lists.sourceforge.net
Subject: Re: Bridging firewall?
Date: Mon, 24 Jan 2005 14:21:01 +1300	[thread overview]
Message-ID: <20050124012101.GC23571@stateless> (raw)
In-Reply-To: <20050124001200.0413c039.matxen@matws.net>

On Mon, Jan 24, 2005 at 12:12:00AM +0100, Matthieu PATOU wrote:
> On Fri, 21 Jan 2005 13:55:35 +0000
> Grzegorz Milos <gm281@hermes.cam.ac.uk> wrote:
> 
> > > Is it possible with Xen to construct something like the following scenario.
> > >
> > > Free/NetBSD (*) domU server running pf or Linux/iptables, acting as a
> > > routing or bridging firewall for all the other domU guests? Further more
> > > create virtual DMZ and internal services.
> I've done it and it's running since two or three month at home and it seems to
> work ...

For the comments below I assume you are using Linux as your firewall OS.

> Not sure see my setup:
> i've two cards in dom0 :eth0 and eth1, eth1 is linked to my xdsl modem, eth0 to
> a switch for other physical machines, eth0 is also shared with other xenU
> domains (thoses who are consciderated to be after the firewall).
> br0 encapsulate eth0, one of the virtual network card of my firewall (the one
> consciderated filtred) and other xenU virtual network card
> br1 encapsulate eth1 and the other virtual network card 

So in a sense you've put your virtual servers on the same network as
some of your internal machines.

> My basic idea was not to configure eth1 at all, i thought that if the interface
> is not activated there is no chance of attacking xen0.
> It tunrns that in order to have the packet directed to xenFirewall-input, i must
> do if config eth1 up.

I've been thinking that the following similar method is possible, without
resorting to giving physical device access to a domU.

Basically the same as above, except I'll just have a virtual eth1.

Put dom0 and a virtual NIC for the firewall (domU1-eth0 say) on br0/eth0.
Put domU1-veth1, and all the other domUs on br, and all the other domUs
on br1. Then setup domU1 as a bridging firewall. Admin domU1, either via
the console from dom0 or setup a third private internal accessible from
dom0 or a management VPN.

So there are three bridges. Not sure how well it would perform, or
whether the net/freebsd virtual NIC drives can hande this scenario. It
seems workable though.

Pf+altq, are by far much nicer than iptables.

Nicholas

-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

next prev parent reply	other threads:[~2005-01-24  1:21 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-21 10:49 Bridging firewall? Nicholas Lee
2005-01-21 13:55 ` Grzegorz Milos
2005-01-21 14:11   ` Felipe Alfaro Solana
2005-01-21 15:02     ` Jan Kundrát
2005-01-21 15:08       ` Jan Kundrát
2005-01-21 15:30         ` Georgios Portokalidis
2005-01-23 23:12   ` Matthieu PATOU
2005-01-24  1:21     ` Nicholas Lee [this message]
2005-01-25 17:27       ` Matthieu
2005-01-25 19:42         ` Nicholas Lee
  -- strict thread matches above, loose matches on Subject: below --
2005-01-23 23:15 Ian Pratt
2005-01-26 21:11 ` Matthieu PATOU
2005-01-26 21:56 Ian Pratt
2005-01-26 22:06 ` Matthieu PATOU

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050124012101.GC23571@stateless \
    --to=nic-lists@plumtree.co.nz \
    --cc=matxen@matws.net \
    --cc=xen-devel@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.