This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] Re: Creating a DMZ domU

To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-users] Re: Creating a DMZ domU
From: "Christopher Isip" <cmisip@xxxxxxxxx>
Date: Sun, 13 Jul 2008 23:06:30 -0400
Delivery-date: Sun, 13 Jul 2008 20:07:05 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type:references; bh=Cmhx0cInBPnqvo/7n7vXB3AsB+NjTJM0QBPkdImaGwI=; b=rz2SENnLZk1qGIKiISZrTlIcfBut581TTPXAr/A5Y6szMhl/RJ70TTvt1+C1K8UhhH kD4qo//qC9TZAD8YNgC17BMWnBkvzjTmxM0FWAJewhPBiuDu/QY2dQCT0RsiKZ/SCcpm Ru7ymjBzQJpqjGFW15xxUQenE5m39ZSiJEDOY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=CzpmTEldSVuwA9cSHggmz4cBffCZaeQhhpHYclHIvO94Jmv/TgexRBpvX6VBbkSbY3 Ai8ZeyJkgyElfwxZvgFtgTLwTocL5ieBS1dSCROk7mN/eBzVQao4yUMEiYSek4edKdZF p0TaLV0gyoOcC7bnMBgX7xgq/vKw5cHq5K8hM=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4bca5f6c0807122044k5cb40137pb2cec30631f2a6e2@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4bca5f6c0807122044k5cb40137pb2cec30631f2a6e2@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx

On Sat, Jul 12, 2008 at 11:44 PM, Christopher Isip <cmisip@xxxxxxxxx> wrote:
I am going to try to create a domU webserver.  My current setup is dom0 running Centos 5.1 with two ethernet interfaces. One is pcibacked to a asterisk domU ( and hence invisible in dom0 )and serves as the external interface there.  The Asterisk domU is my gateway to the internet, default route, dhcpd server, dns server and ip masquerade server as well.  The second interface in dom0 is the bridged interface to which all the domUs are connected (including the Asterisk domU). Everything seems to be working fine.  I have a simple two interface shorewall configuration in the Asterisk domU. 

My plan is to create a webserver domU and have shorewall run in it as well.  The domU will have default drop policies for all incoming and outgoing connections.  There will be a rule to allow incoming ssh and outgoing ssh.  There will be a rule for allowing incoming http as well. The webserver domU will only have one interface, and that is the bridged interface from domO.

In the Asterisk domU, I can write a DNAT rule to port forward http connections from the internet to the webserver domU.

It seems that this should work If xen domUs really behave as if they are independent LAN hosts which so far they have in my setup.  My only question is how secure is this?.  Incoming connections from the internet for http port will be forwarded to a bridged interface. Or maybe this is where things will break.   

Anybody care to comment?


I just realized that iptables on a dmz is useless.  If an attacker gains access, the iptables rules could be rewritten and the dmz could be used to access the network.  Rather the other hosts need to have default rejectd policies for the DMZ host.  But I would rather not implement a firewall for each of the other hosts.  My thinking is that perhaps I should not give the DMZ host a vif interface that is bridged to a physical ethernet device.  If its possible to create a bridge interface without any physical ethernet cards attached to it, I could then present vif1 to the Asterisk domU and vif2 to the DMZ and have the Asterisk domU be the gateway to the rest of the lan and domUs.  I would simply convert to a three interface shorewall configuration in the Asterisk domU with one interface net, the other local and the third DMZ.


Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>