This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Question about using Xen in a periphery firewall/router

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario
From: Simon Hobson <linux@xxxxxxxxxxxxxxxx>
Date: Thu, 20 Aug 2009 13:43:36 +0100
Delivery-date: Thu, 20 Aug 2009 05:44:24 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <7e41ba8f0908200433m6f6feb1eq84ebda1bc65b9b8b@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <7e41ba8f0908200433m6f6feb1eq84ebda1bc65b9b8b@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Sanjay Arora wrote:

XEN newbie here.

We all started there - I'm not much further on !

If I install minimal linux for XEN in dom0 and a periphery firewall in
domU and other applications in other instances of domU, is it possible
to restrict/bind the network card to domU having periphery firewall
and from there forward packets for dom0 or for other domUs?

Is this possible? If so, is it secure? Or does dom0 always have direct
access to Network Card and needs a separate firewall? And packets will
always route from dom0 to all domUs ?

OK, there are two ways to deal with this.

The approach I've used at home is to hide a network card from Dom0 (see pic-back.hide) and pass it through to a DomU which then sees it as a native interface. I then run a firewall in the DomU and the outside traffic does NOT go through Dom0. The route for packets is then :

real i/f -> DomU (firewall) -> VIF -> int bridge [ Dom0 | VIF -> DomU ]

An alternative is to create more than one bridge in Dom0. The 'outside' bridge will have members of the real network card, and the VIF for your firewall DomU. Dom0 either has no interface defined on this bridge*, or some iptables rules to block all outside traffic. The 'internal' bridge has member interfaces for Dom0, your firewall DomU, and all other DomUs. The route for packets is then :

real i/f -> ext bridge -> VIF -> DomU (firewall) -> VIF -> int bridge \
  [ Dom0 | VIF -> DomU ]

* Personally, I've never got the bridge to work this way.

Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

Xen-users mailing list