WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Firewall in a guest domain?

Mike Hoesing wrote:
Anyone want to share a step-by-step howto for approach 4 below?

* Dedicate a physical device to a "firewall domain" and have it filter on that interface for all the other domains.

I've got this working, though not to my liking yet. To duplicate my setup:

Build or otherwise obtain a Xen0 kernel with the modules for your NIC(s). Use 'lspci' to find the PCI addresses for the devices you want to use in the DomU. Update the Xen entry for Xen0 in your GRUB config; mine looks like:

kernel /boot/xen-2.0.6.gz dom0_mem=131072 physdev_dom0_hide='(01:04.0)(00:04.0)(01:0a.0)'

Create a Xen guest definition file. **Use the _Xen0_ kernel as the kernel for the guest**. Add the PCI devices you hid from the host kernel to the file. My definition looks like:

pci = [ '01,04,0', '00,04,0', '01,0a,0' ]

Copy the /lib/modules data from your Xen0 kernel into the filesystem of the guest. Reboot to put the GRUB changes into effect, then start your guest. Install and configure your firewalling software, and go. I use my guest kernel as my DHCP server/gateway/firewall/router for the rest of my home network, including the host kernel; I just treat the eth0 within the guest as an interface to be NATed.

My issues so far are 1) extreme instability, which, for now, I'm assuming are caused by the heat in my apartment and 2) the wireless NIC I stuck in the guest is up and running according to iwconfig and ifconfig, but I can't get see the signal from a client. There are known issues using a WiFi card behind a bridge, but since it's on the other side in my setup, I'm pretty puzzled. More as I figure stuff out...

-sten

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users