This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] Managed Firewall

To: Xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Managed Firewall
From: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
Date: Sat, 12 Jun 2010 18:28:02 +0100
Delivery-date: Sat, 12 Jun 2010 10:29:18 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100423 Thunderbird/3.0.4
Hi everyone,

Once I roll out my Xen VPS hosting solution, I wish to provide a "managed firewall" service to my customers. What I wish to do is to use my firewall (which will sit on the edge between the ISP WAN and my VM's LAN) to filter traffic between the WAN and the LAN VMs (this is easy), as well as filter between the VMs.

Now, this "firewall" will actually be a "filtering bridge" as the VMs will be using public IPs, so the firewall's WAN and LAN interfaces will be bridged together. My question is, how can I "force" all traffic from each VM host to go back out via the firewall? Is it just a matter of using iptables/ebtable in the bridge in the Dom0 to make sure that the vifs can only communicate with the physical interface (which will be connected to the firewall) ?

I think the hardest part will be to configure the switch in such a way that it doesn't route traffic directly to the destination VM.

The firewall will be using pfsense by the way.

Any help or tips is very much appreciated.


Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>