This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Question about using Xen in a periphery firewall/router

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario
From: "J. Roeleveld" <joost@xxxxxxxxxxxx>
Date: Fri, 21 Aug 2009 12:21:14 +0200
Delivery-date: Fri, 21 Aug 2009 03:22:04 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <7e41ba8f0908200433m6f6feb1eq84ebda1bc65b9b8b@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <7e41ba8f0908200433m6f6feb1eq84ebda1bc65b9b8b@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.11.4 (Linux/2.6.27-gentoo-r7; KDE/4.2.4; x86_64; ; )
On Thursday 20 August 2009 13:33:07 Sanjay Arora wrote:
> Hello All
> XEN newbie here.
> If I install minimal linux for XEN in dom0 and a periphery firewall in
> domU and other applications in other instances of domU, is it possible
> to restrict/bind the network card to domU having periphery firewall
> and from there forward packets for dom0 or for other domUs?
> Is this possible? If so, is it secure? Or does dom0 always have direct
> access to Network Card and needs a separate firewall? And packets will
> always route from dom0 to all domUs ?
> What are the issues involved?
> With best regards.
> Sanjay.

I actually set up seperate bridges for each network card I have in my 
Then I hook them all into the firewall-domU and only hook the seperate domains 
to each bridge depending on where they belong in the network.

The dom0 uses a dummy-device to be connected to one of the bridges and this 
works correctly for me.

I do, however, set up all the bridges, apart from the one that dom0 is 
connected to, but that is because I haven't figured out how to configure 
multiple bridges in the xen-configuration.

As for how secure it is, unless there is some attack-vector that can access 
the dom-0 over a bridge that only has the physical network device (no ip) and 
the connection to the firewall-domain, this should be quite safe.

In the past 4 years that I've been using this set-up, I have not seen any 
evidence of any packets reaching the dom0 other then the ones I allow through 
the firewall.

Let me know if you want me to go more in-depth on how I set this up.



Xen-users mailing list