WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Firewalling Xen?

lists@xxxxxxxxxxxxx wrote:

I have the following Xen config and I was wondering what you'd recomend as a firewall setup.


Dom0 - 198.175.98.50
Dom1 - 198.175.98.63 (Bridged)
Dom2 - 198.175.98.62 (Bridged)
Dom3 - 198.175.98.61 (Bridged)
Dom4 - 198.175.45.12 (Bridged)

I'm wondering how to setup a firewall for Dom0 when all traffic for the DomUs go 'through' it. How should the firewall take this into account?

On a side note, I read a more secure way was to have the 'primary' Dom to be a DomU firewall to avoid exploits to the Dom0 but I can't find proper documentation for such a setup. Can someone point me in the right direction please?

I'll do the second one first as a) it's shorter, and b) if I do it at the end it's likely to get missed !

I think what you are referring to is the practice of making a DomU have the only connection to the outside, and for it to run as a two port firewall. You can either configure a second bridge to get the external traffic to the DomU, or hide the PCI device and make it a native hardware device available only to the DomU - the latter is what I have at home, and also I believe what Tom Eastep (author of the Shorewall package) runs for his Shorewall hosting.

For a firewall, I can recommend Shorewall (http://www.shorewall.net) which I believe takes a good position between low level (native iptables) and too restrictive.


Now, to the first bit :

I have another server that is setup something similar to your setup. I hand crafted an init file to configure a few iptables rules to protect Dom0 - it's pointless trying to run a full firewall as a) I'm not sure anyone really understands networking fully under Xen, and b) the network keeps changing when guests start or stop.

My init script is (it actually has more as the machine has multiple networks, but I've ripped out all but one) :

#! /bin/sh

### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $networking
# Required-Stop:     $networking
# Should-Start: # Default-Start: 2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Firewall - home grown bash/iptables script
# Description: Script to build basic firewall directly with /sbin/iptables
### END INIT INFO

set -e


. /lib/lsb/init-functions

ExtAdd=a.b.c.d

case "$1" in
  start)
        log_daemon_msg "Starting firewall"

        # Clear /sbin/iptables first
        /sbin/iptables -F

        # Set traffic not addressed to us to no-track
        # t:raw c:prerouting
/sbin/iptables -t raw -A PREROUTING --in-interface ethext --dst ! $ExtAdd -j NOTRACK


        # filter:inbound
        # t:filter c:inbound-ext
        /sbin/iptables -t filter --new inbound-ext

        # allow established streams (ie outbound initiated connections)
/sbin/iptables -t filter -A inbound-ext -m state --state RELATED,ESTABLISHED -j ACCEPT

        # allow icmp
/sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -p icmp --icmp-type 8 -j ACCEPT /sbin/iptables -t filter -A inbound-ext -p icmp --icmp-type 8 -m limit --limit 6/minute --limit-burst 10 -j ACCEPT
        /sbin/iptables -t filter -A inbound-ext -p icmp --icmp-type 8 -j DROP
        /sbin/iptables -t filter -A inbound-ext -p icmp -j ACCEPT

        # allow ssh
/sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -p tcp --dport 22 -j LOG --log-level info --log-prefix "FW net2fw" /sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -p tcp --dport 22 -j ACCEPT

        # drop everything else
        /sbin/iptables -t filter -A inbound-ext -j DROP


        # filter: send inbound packets to us to chain inbound-[ext|bak|int]
        # t:filter c:INPUT
        # policy allow
        /sbin/iptables -t filter -A INPUT --dst $ExtAdd -j inbound-ext

        log_end_msg 0
        ;;
  stop)
        log_daemon_msg "Stopping firewall"
        /sbin/iptables -F
        /sbin/iptables -F -t raw
        /sbin/iptables -X inbound-ext
        log_end_msg 0
        ;;

  *)
        echo "Usage: /etc/init.d/firewall {start|stop}"
        exit 1
esac

exit 0


Now, what I believe this does is :
Not track any traffic coming in on the external interface that isn't addressed to us.
Permits certain inbound traffic.
Blocks everything else.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>