This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


AW: [Xen-users] Firewalling Xen?

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: AW: [Xen-users] Firewalling Xen?
From: Franz Von Hahn <franz.vonhahn@xxxxxxxx>
Date: Mon, 15 Dec 2008 22:20:47 +0000 (GMT)
Delivery-date: Mon, 15 Dec 2008 14:21:31 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.de; h=X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=hRrN5avFz1SG8dNCvDFrBX+lntTo9PWgvgGs4vMR482/z6f1b02RFiHSFkrv8Qu/LehUbgB9qJ4+ARLEiXpvNINr7G07APVUKRhTdG7aSFBfyX0WaGd/mzrUuQb8edAZw/h/mx+xllH0m8ppzpfwiVyGjUlUgVfwfF5M1s2CGjw=;
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <14915851.141229329317606.JavaMail.root@xxxxxxxxxxxxxxxxxx> <8857602949884301371@unknownmsgid> <ed123fa30812151350q7baff5bax931b94948167422d@xxxxxxxxxxxxxx> <200812151356.06574.fjwcash@xxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
i do firewalling in this way:

the external nic is attached to dom0 and does have multiple ip-adresses (which 
are on the public internet). the xenbr0 does have the ip-adress and my 
domUs are on that 10.0.0.x-Network. All necesary services are firewall'ed in 
the dom0 and their necesary ports are forwarded using NAT. so i'm able to run 
multiple webservers (each on its own ip and with port 80), a dns-server, a 
mailserver and a windows-machine each in a properly firewalled domU. there's 
nothing special about that. but please note, that some services might not work 
using NATted transfers. this is just a suggestion, please proof me wrong if 
there are any.

----- Ursprüngliche Mail ----
Von: Freddie Cash <fjwcash@xxxxxxxxx>
An: xen-users@xxxxxxxxxxxxxxxxxxx
Gesendet: Montag, den 15. Dezember 2008, 22:56:06 Uhr
Betreff: Re: [Xen-users] Firewalling Xen?

On December 15, 2008 1:50 pm Grant McWilliams wrote:
> On Mon, Dec 15, 2008 at 1:05 PM, Dustin Henning
> <Dustin.Henning@xxxxxxxxxxx>wrote:
> >        In case it is relevant, I simply allow all traffic to traverse
> > the forwarding chain when it is headed to a bridged destination.  I
> > then simply run a firewall on dom0 and each domU as if they were all
> > individual machines.  This seems to me like the way to go short of
> > doing something more drastic with hardware isolation, but as a lot of
> > people prefer to have much more complex firewall setups, it is
> > certainly likely that at least some of them have good reason.
> >         Dustin
> Keep in mind that this method means you'll be managing multiple
> firewalls. In my case it would be about 30 firewalls total. By separating
> the internal private network from the real network you can run with one
> firewall. However, having said that you can only forward each outside
> port to one port on one domU. This means if you have multiple web servers
> you can't forward the external port 80 to more than one internal possibly
> making it messy for external clients accessing the virtual machines by
> requiring them to access services on non-standard ports.. In my setup this
> is fine because I only forward one port anyway (ssh) to allow remote
> logins.

You can always use 1:1 NAT between a public IP and a private IP, for each 
domU.  There's nothing that forces you to use a single IP for the firewalled 


Xen-users mailing list

Xen-users mailing list