This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Question about using Xen in a periphery firewall/router

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario
From: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
Date: Thu, 20 Aug 2009 21:45:14 +0700
Delivery-date: Thu, 20 Aug 2009 07:46:08 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <a0624081cc6b2f34a9625@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <7e41ba8f0908200433m6f6feb1eq84ebda1bc65b9b8b@xxxxxxxxxxxxxx> <a0624081cc6b2f34a9625@xxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
On Thu, Aug 20, 2009 at 7:43 PM, Simon Hobson<linux@xxxxxxxxxxxxxxxx> wrote:
> Sanjay Arora wrote:
>> Is this possible? If so, is it secure? Or does dom0 always have direct
>> access to Network Card and needs a separate firewall? And packets will
>> always route from dom0 to all domUs ?
> OK, there are two ways to deal with this.

> An alternative is to create more than one bridge in Dom0. The 'outside'
> bridge will have members of the real network card, and the VIF for your
> firewall DomU. Dom0 either has no interface defined on this bridge*, or some
> iptables rules to block all outside traffic. The 'internal' bridge has
> member interfaces for Dom0, your firewall DomU, and all other DomUs. The
> route for packets is then :
> real i/f -> ext bridge -> VIF -> DomU (firewall) -> VIF -> int bridge \
>  [ Dom0 | VIF -> DomU ]

This is what I use. From security perspective, this is the same as
having an L2 switch (when dom0's bridges have no IP address) or L3
switch (when dom0's bridges have an IP address)


Xen-users mailing list