This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Managed Firewall

To: Simon Hobson <linux@xxxxxxxxxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Managed Firewall
From: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
Date: Sun, 13 Jun 2010 12:31:34 +0100
Delivery-date: Sun, 13 Jun 2010 04:33:24 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <p0624081dc83a4de8c3e1@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4C13C3A2.9000206@xxxxxxxxxxx> <p0624081dc83a4de8c3e1@xxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100423 Thunderbird/3.0.4

On 13/06/10 10:02, Simon Hobson wrote:
Jonathan Tripathy wrote:

Once I roll out my Xen VPS hosting solution, I wish to provide a "managed firewall" service to my customers. What I wish to do is to use my firewall (which will sit on the edge between the ISP WAN and my VM's LAN) to filter traffic between the WAN and the LAN VMs (this is easy), as well as filter between the VMs.

Now, this "firewall" will actually be a "filtering bridge" as the VMs will be using public IPs, so the firewall's WAN and LAN interfaces will be bridged together. My question is, how can I "force" all traffic from each VM host to go back out via the firewall? Is it just a matter of using iptables/ebtable in the bridge in the Dom0 to make sure that the vifs can only communicate with the physical interface (which will be connected to the firewall) ?

For this to work, each VM must attach to a different "port" of your firewall. If the firewall were a VM on the same host then you could create a bridge per VM and connect them all to the firewall VM. But since as I read it you are using an external box, then you would need to use either a lot of real NICs, or more efficiently, use a VLAN per VM and trunk them to the switch.

If you just use one virtual switch (bridge) and connect multiple VMs to it, then you are correct in saying the switch will simply forward the packets directly between the VMs.

Hi Simon,

Thanks for your email.

Since I have plans for up to nearly 100 VMs on the same machine, how well would Xen cope with 100 bridges?

I also have another idea, so maybe you could tell me if it would work or not (Using physical firewall box): Let's say I have just one bridge per Xen host. Could I use iptabled/ebtables to deny all inter-VM traffic? So only allow access from the VM to the physical NIC of the box? Then on the physical switch, I could put each port on a separate VLAN, but put the port that the firewall is connected to on all the VLANs. Then, I assume, the switch would send all traffic from the host ports to the firewall port, where the firewall could do filtering? I'm not sure if the firewall would even need to be VM aware..

Would that work? Or is that just a bad idea?



Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>