This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xen-users] Firewalling Xen?

To: <lists@xxxxxxxxxxxxx>, <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Firewalling Xen?
From: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>
Date: Tue, 16 Dec 2008 11:10:09 +1100
Delivery-date: Mon, 15 Dec 2008 16:10:48 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <14915851.141229329317606.JavaMail.root@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <33443850.121229329068567.JavaMail.root@xxxxxxxxxxxxxxxxxx> <14915851.141229329317606.JavaMail.root@xxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Aclejldiy6b89e3RRFSnXeas8AJQ1gAg3Juw
Thread-topic: [Xen-users] Firewalling Xen?
> Hi all,
> I have the following Xen config and I was wondering what you'd
recomend as
> a firewall setup.
> Dom0 -
> Dom1 - (Bridged)
> Dom2 - (Bridged)
> Dom3 - (Bridged)
> Dom4 - (Bridged)
> I'm wondering how to setup a firewall for Dom0 when all traffic for
> DomUs go 'through' it.  How should the firewall take this into
> On a side note, I read a more secure way was to have the 'primary' Dom
> be a DomU firewall to avoid exploits to the Dom0 but I can't find
> documentation for such a setup.  Can someone point me in the right
> direction please?

On my server I have the firewall all on Dom0, despite some
recommendations to the contrary. That way if something goes wrong after
an upgrade, or if I want to boot into a non-xen kernel, I still have
connectivity. The machine is at a colo but I still have console access
(HP iLO2), so I could move the firewall and still be able to get to it
in an emergency. It seems easier this way though.

Do you want to firewall the DomU's from each other? Or just from the
internet? If the former then you'll need to have iptables interact with
the bridging code, which always gives me a headache. If the latter, then
I would try and arrange it so that the physical Ethernet device is on
Dom0 on it's own IP address and not bridged, and then route onto a
bridge which isn't connected to a physical network adapter, and put the
firewall rules on Dom0 between the physical network and the bridged
network. You might need some more IP addresses though.

If you have lots of IP addresses already, you could split your network
up into a bunch of /30's and route between them...


Xen-users mailing list