| On Mon, Jan 24, 2005 at 12:12:00AM +0100, Matthieu PATOU wrote:
> On Fri, 21 Jan 2005 13:55:35 +0000
> Grzegorz Milos <gm281@xxxxxxxxxxxxxxxx> wrote:
> 
> > > Is it possible with Xen to construct something like the following 
> > > scenario.
> > >
> > > Free/NetBSD (*) domU server running pf or Linux/iptables, acting as a
> > > routing or bridging firewall for all the other domU guests? Further more
> > > create virtual DMZ and internal services.
> I've done it and it's running since two or three month at home and it seems to
> work ...
For the comments below I assume you are using Linux as your firewall OS.
> Not sure see my setup:
> i've two cards in dom0 :eth0 and eth1, eth1 is linked to my xdsl modem, eth0 
> to
> a switch for other physical machines, eth0 is also shared with other xenU
> domains (thoses who are consciderated to be after the firewall).
> br0 encapsulate eth0, one of the virtual network card of my firewall (the one
> consciderated filtred) and other xenU virtual network card
> br1 encapsulate eth1 and the other virtual network card 
So in a sense you've put your virtual servers on the same network as
some of your internal machines.
> My basic idea was not to configure eth1 at all, i thought that if the 
> interface
> is not activated there is no chance of attacking xen0.
> It tunrns that in order to have the packet directed to xenFirewall-input, i 
> must
> do if config eth1 up.
I've been thinking that the following similar method is possible, without
resorting to giving physical device access to a domU.
Basically the same as above, except I'll just have a virtual eth1.
Put dom0 and a virtual NIC for the firewall (domU1-eth0 say) on br0/eth0.
Put domU1-veth1, and all the other domUs on br, and all the other domUs
on br1. Then setup domU1 as a bridging firewall. Admin domU1, either via
the console from dom0 or setup a third private internal accessible from
dom0 or a management VPN.
So there are three bridges. Not sure how well it would perform, or
whether the net/freebsd virtual NIC drives can hande this scenario. It
seems workable though.
Pf+altq, are by far much nicer than iptables.
Nicholas
-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel
 |