WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Running workstation and firewall on the same hardware

To: "Carl Holtje ;021;vcsg6;" <cwh0803@xxxxxxxxxx>
Subject: Re: [Xen-users] Running workstation and firewall on the same hardware
From: Mark Williamson <mark.williamson@xxxxxxxxxxxx>
Date: Mon, 8 Aug 2005 18:35:20 +0100
Cc: Morten Guldager <morten.guldager@xxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 08 Aug 2005 17:36:12 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <Pine.GSO.4.58.0508081320590.20382@xxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <d3e62a6b0508071107440f8e71@xxxxxxxxxxxxxx> <200508081737.36596.mark.williamson@xxxxxxxxxxxx> <Pine.GSO.4.58.0508081320590.20382@xxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.8.2
> > Conceptually the simplest would be to have dom0 forward *link level*
> > packets to a domU, which can filter them at IP level and then send them
> > back to dom0. In this scheme dom0 still receives the packets initially
> > but doesn't do anything with them until they've been verified by the
> > domU.  Link-level attacks on dom0 could compromise the machine but a
> > compromise of the domU will not (although your IP traffic is obviously
> > untrusted then).
>
> Maybe I've missed something obvious, but how would you do this?

I've never done it myself, so I can't give an exact recipe...

Basically you'd want to bridge all packets from the real ethernet onto the vif 
of the domU and bypass dom0's TCP stack.  You should be able to do this by 
not configuring the bridge as an IP interface.  Then create a second VIF to 
the domU, configure it for IP, and configure dom0's routing to use the IP 
over the domU as the gateway.

The domU would treat it's first vif (the bridged one) as "external" and the 
second as "internal", even though they're really both serviced through dom0 
in some way.

I think this is sane from a Linux PoV?  (albeit very context-switch heavy from 
a Xen PoV)

Cheers,
Mark

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users