WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Building a DMZ.

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Building a DMZ.
From: Old Skywhale <xen@xxxxxxxxxxxx>
Date: Mon, 11 Sep 2006 14:06:55 +0100
Delivery-date: Mon, 11 Sep 2006 06:03:16 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen@xxxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Greetings,
How does one build a DMZ?
I am trying to do the following:-


                  { INTERNET }
                       |
        +-------------eth2--------------+
        |              |                |
        |         [ extbridge ]         |
        |              |                |
        |      +-----vif2.1-----+       |
        |      |                |       |
        |      |  Ext. Firewall |       | 
        |      |   ( dom u2 )   |       |
        |      |                |       |
        |      +-----vif2.0-----+       |
        |              |                |
        |              |                |
        |          [  DMZ  ]-----------eth1
        |              |                |
        |              |                |
        |      +-----vif1.1-----+       |
        |      |                |       |
        |      |  Int. Firewall |       |
        |      |   ( dom u1 )   |       |
        |      |                |       |
        |      +-----vif1.0-----+       |
        |              |                |
        |        [ intbridge ]          |
        |              |                |
        +-------------eth1--------------+
                       |
                  { LOCALNET }


I have a start script ( eventually to go in /etc/init.d) :-

 #!/bin/bash

 /etc/xen/scripts/network-bridge start bridge=intbr netdev=eth0 vifnum=0
 /etc/xen/scripts/network-bridge start bridge=extbr netdev=eth1 vifnum=1
 /etc/xen/scripts/network-bridge start bridge=dmz netdev=eth2 vifnum=2

 /sbin/ifconfig dmz 10.0.0.10 netmask 255.255.255.0 up

 echo 1 > /proc/sys/net/bridge/bridge-nf-call-arptables
 echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
 echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables

 xm create intfw
 xm create extfw


And in my xmconfigs for intfw and extfw I have:

 intfw:vif = [ 'type=ioemu,mac=00:16:3e:0a:01:10,bridge=intbr',
              'type=ioemu,mac=00:16:3e:0a:01:11,bridge=dmz' ]

 extfw:vif = [ 'type=ioemu,mac=00:16:3e:0a:02:20,bridge=dmz',
              'type=ioemu,mac=00:16:3e:0a:02:21,bridge=extbr' ]


Run the start script and all comes up.

However I cannot ping from intfw to extfw.
"brctl showmacs intbr" shows both mac addresses
for the internal firewall on the internal bridge.  
  4     00:16:3e:0a:01:10       no         43.98
  5     00:16:3e:0a:01:11       no         87.64

The same happens with the external firewall, both it's
macs appear on the DMZ if I ping an external address.

I expected the DMZ to have the outbound mac address of the
internal firewall plus the inbound mac address of the external
firewall. Is brctl the wrong tool here?



If anybody has any advice, I would be keen to hear.



kind regards
S. 












_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] Building a DMZ., Old Skywhale <=