This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xen-users] Managed Firewall

To: "'Simon Hobson'" <linux@xxxxxxxxxxxxxxxx>, <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Managed Firewall
From: "Dustin Henning" <Dustin.Henning@xxxxxxxxxxx>
Date: Tue, 15 Jun 2010 11:12:49 -0400
Delivery-date: Tue, 15 Jun 2010 08:14:20 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <p0624081ec83a7ee74004@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Organization: PRD, Inc.
References: <4C13C3A2.9000206@xxxxxxxxxxx> <p0624081dc83a4de8c3e1@xxxxxxxxxxxxxxxxxxxxxx> <4C14C196.9010906@xxxxxxxxxxx> <p0624081ec83a7ee74004@xxxxxxxxxxxxxxxxxxxxxx>
Reply-to: Dustin.Henning@xxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcsK9JUaGqV8TQHlQo62XP0WincQxQBqDGqA
Response in-line for once...

-----Original Message-----
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Simon Hobson
Sent: Sunday, June 13, 2010 08:32
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Managed Firewall

Jonathan Tripathy wrote:

>Since I have plans for up to nearly 100 VMs on the same machine, how 
>well would Xen cope with 100 bridges?

No idea.

>I also have another idea, so maybe you could tell me if it would 
>work or not (Using physical firewall box):
>Let's say I have just one bridge per Xen host. Could I use 
>iptabled/ebtables to deny all inter-VM traffic? So only allow access 
>from the VM to the physical NIC of the box? Then on the physical 
>switch, I could put each port on a separate VLAN, but put the port 
>that the firewall is connected to on all the VLANs. Then, I assume, 
>the switch would send all traffic from the host ports to the 
>firewall port, where the firewall could do filtering? I'm not sure 
>if the firewall would even need to be VM aware..

Well the firewall will not have to be VM aware anyway - it just sees 
traffic on VLAN ports.

As to having one bridge and VLANs, if you connect multiple VLANs to 
one switch then that's the equivalent of trunking (bonding) multiple 
links together and won't help.  The only other way round it I can see 
is to use some fudging with /32 subnets for the clients so that they 
have no concept of there being 'neighbours' on the local subnet (and 
then enforce it with iptable/ebtables rules to prevent direct 
host-host traffic) - but that's beyond my experience and I don't know 
how well it works or what pitfalls there may be.

Primarily out of curiosity, are you assuming that the switch is not using
VLAN tagging along with trunking?  Is that even possible?  Assuming tagged
VLANs, I don't see what makes you think the switch is going to break that
boundary and send the data back.  Even if it did, the destination domU
should ignore it unless the tag was stripped by the switch.  Seems to me
like the switch would keep the VLANs separate and e firewall would have to
function as a sort of "VLAN Router," which may or may not be possible.

Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

Xen-users mailing list

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>