From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nicholas Lee Subject: Re: Bridging firewall? Date: Mon, 24 Jan 2005 14:21:01 +1300 Message-ID: <20050124012101.GC23571@stateless> References: <20050121104919.GF27277@stateless> <200501211355.35262.gm281@hermes.cam.ac.uk> <20050124001200.0413c039.matxen@matws.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <20050124001200.0413c039.matxen@matws.net> Sender: xen-devel-admin@lists.sourceforge.net Errors-To: xen-devel-admin@lists.sourceforge.net List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , List-Archive: To: Matthieu PATOU Cc: xen-devel@lists.sourceforge.net List-Id: xen-devel@lists.xenproject.org On Mon, Jan 24, 2005 at 12:12:00AM +0100, Matthieu PATOU wrote: > On Fri, 21 Jan 2005 13:55:35 +0000 > Grzegorz Milos wrote: > > > > Is it possible with Xen to construct something like the following scenario. > > > > > > Free/NetBSD (*) domU server running pf or Linux/iptables, acting as a > > > routing or bridging firewall for all the other domU guests? Further more > > > create virtual DMZ and internal services. > I've done it and it's running since two or three month at home and it seems to > work ... For the comments below I assume you are using Linux as your firewall OS. > Not sure see my setup: > i've two cards in dom0 :eth0 and eth1, eth1 is linked to my xdsl modem, eth0 to > a switch for other physical machines, eth0 is also shared with other xenU > domains (thoses who are consciderated to be after the firewall). > br0 encapsulate eth0, one of the virtual network card of my firewall (the one > consciderated filtred) and other xenU virtual network card > br1 encapsulate eth1 and the other virtual network card So in a sense you've put your virtual servers on the same network as some of your internal machines. > My basic idea was not to configure eth1 at all, i thought that if the interface > is not activated there is no chance of attacking xen0. > It tunrns that in order to have the packet directed to xenFirewall-input, i must > do if config eth1 up. I've been thinking that the following similar method is possible, without resorting to giving physical device access to a domU. Basically the same as above, except I'll just have a virtual eth1. Put dom0 and a virtual NIC for the firewall (domU1-eth0 say) on br0/eth0. Put domU1-veth1, and all the other domUs on br, and all the other domUs on br1. Then setup domU1 as a bridging firewall. Admin domU1, either via the console from dom0 or setup a third private internal accessible from dom0 or a management VPN. So there are three bridges. Not sure how well it would perform, or whether the net/freebsd virtual NIC drives can hande this scenario. It seems workable though. Pf+altq, are by far much nicer than iptables. Nicholas ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl