Mailing List Archive: Xen: Users

Firewall in domU, networking in XEN

Index | Next | Previous | View Threaded

slawek.k_xl at wp

Apr 30, 2012, 2:00 AM

Post #1 of 20 (1483 views)
Permalink

Firewall in domU, networking in XEN

Hi all,

I want to run XEN on a dedicated server with following structure:
dom0 as hypervisor.
domU1 as a gateway - firewall, DNS, openVPN and maybe DHCP server. Firewalling via Shorewall.
domU2 as internal server with several services (Apache, MySQL available locally)
domU3 as DMZ with external Apache server that can be queried from external.

users from the outside should connect to OpenVPN at domU1 and have an access to the services on domU2.
Apache on domU3 will connect to MySQL at domU2 and present the data to the client. That should ensure better security in case when domU3 is exposed.
domU1 should ensure firewalling the system, port forwarding 80 to domU3 and creating a NAT.
The physical machine will have one NIC with one public IP.

My question, as a XEN beginner: is this config quite feasible ?
What should be improved ?
Should I use bridged or routed mode in XEN ?
I know that I have to enable NIC at domU1 by adding pci and netif=1 parameters to the config.
I also found this link:http://www.shorewall.net/3.0/XenMyWay.html
In my case I have only one public IP and I don't have wifi zone.
I don't want to assign public IP to the domU2, just forward the port.
Will assigning the public IP in domU2 improve scalability if we want to add more public-available services ?
Any recommended tutorials, howtos ?

Thanks
Slawek Kosowski

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

ditwal001 at gmail

Apr 30, 2012, 2:28 AM

Post #2 of 20 (1431 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

hi slawek,

1 comment only so far, until u begin u should know what u want. all wished features can be set up by xen, no prpos but dhcp firewall ... with 1 nic ...

that sound really mess'y

not xen is here the nut, the overal concept!

u want all services and all security with minimal hardware (nic).

in switzland we say: u can have the bread and the 5p at the same time :)

thanks walter

On 30.04.2012, at 11:00, Sławek Kosowski <slawek.k_xl [at] wp> wrote:

> Hi all,
>
> I want to run XEN on a dedicated server with following structure:
> dom0 as hypervisor.
> domU1 as a gateway - firewall, DNS, openVPN and maybe DHCP server. Firewalling via Shorewall.
> domU2 as internal server with several services (Apache, MySQL available locally)
> domU3 as DMZ with external Apache server that can be queried from external.
>
> users from the outside should connect to OpenVPN at domU1 and have an access to the services on domU2.
> Apache on domU3 will connect to MySQL at domU2 and present the data to the client. That should ensure better security in case when domU3 is exposed.
> domU1 should ensure firewalling the system, port forwarding 80 to domU3 and creating a NAT.
> The physical machine will have one NIC with one public IP.
>
> My question, as a XEN beginner: is this config quite feasible ?
> What should be improved ?
> Should I use bridged or routed mode in XEN ?
> I know that I have to enable NIC at domU1 by adding pci and netif=1 parameters to the config.
> I also found this link:http://www.shorewall.net/3.0/XenMyWay.html
> In my case I have only one public IP and I don't have wifi zone.
> I don't want to assign public IP to the domU2, just forward the port.
> Will assigning the public IP in domU2 improve scalability if we want to add more public-available services ?
> Any recommended tutorials, howtos ?
>
> Thanks
> Slawek Kosowski
>
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users [at] lists
> http://lists.xen.org/xen-users

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

linux at thehobsons

Apr 30, 2012, 2:51 AM

Post #3 of 20 (1444 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

=?ISO-8859-2?Q?S=B3awek_Kosowski?= wrote:

>My question, as a XEN beginner: is this config quite feasible ?

Yes, very easy.

>What should be improved ?

Nothing ?

>Should I use bridged or routed mode in XEN ?

Bridged.

For the external interface you can do it two ways.
1) Use PCI passthrough to give the DomU firewall sole use of the NIC.
2) Create a bridge in Dom0 with the NIC attached - do not give Dom0
an address on this bridge.

Create two bridges - one each for DMS and internal networks.

When creating DomUs, give them VIFs on the bridges (ie networks) you
want them to have access to. Give Dom0 IP address(es) on the
bridge(s) you want it to be 'connected' to.

Don't use Xen network-script, use the host OS network tools to create
the bridges. Much easier and more reliable - also works the same
whether booting Xen or the host OS natively (eg when debugging or for
maintenance).

BTW - you may also want a second NIC so that your internal network is
available for other stuff (your own desktop/laptop, printers, etc) on
the internal network.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

slawek.k_xl at wp

Apr 30, 2012, 3:58 AM

Post #4 of 20 (1428 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

The concept is to buy one powerful dedicated machine and virtualize all the rest.
@Walter can you clarify what's messy about this design ?

@Simon, thanks for advises
The reason why I have only one physical NIC is that, the server will be a dedicated server collocated in the datacenter. Therefore, I don't see any need to have additional NICs.

Question regarding the LVM.
I will dispose hardware RAID 1. I will create a volume group on the whole disk. Then I will make 2 logical volumes, one for dom0 root and one for dom0 swap. I don't see any clear advantage of making more LVs with separate mounting points unless I have big and bulky files to archive by making snapshots. Simply by having only 2 LVs I decrease granularity, but facilitate management. At the limit I can add new LVs and mount them to specific locations (e.g. /usr or /var) copying the files from root
LV.

I plan to make new domU on additional LV in the same VG as dom0. Does it make sense ?

Thanks !
Slawek Kosowski

Dnia 30-04-2012 o godz. 11:28 Walter Robert Ditzler napisa�(a):
> hi slawek,
>
> 1 comment only so far, until u begin u should know what u want. all
> wished features can be set up by xen, no prpos but dhcp firewall ...
> with 1 nic ...
>
> that sound really mess'y
>
> not xen is here the nut, the overal concept!
>
> u want all services and all security with minimal hardware (nic).
>
> in switzland we say: u can have the bread and the 5p at the same time :)
>
> thanks walter
>

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

linux at thehobsons

Apr 30, 2012, 5:08 AM

Post #5 of 20 (1424 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

S�awek Kosowski wrote:

>The reason why I have only one physical NIC is
>that, the server will be a dedicated server
>collocated in the datacenter. Therefore, I don't
>see any need to have additional NICs.

Correct

>Question regarding the LVM.
>I will dispose hardware RAID 1. I will create a
>volume group on the whole disk. Then I will make
>2 logical volumes, one for dom0 root and one for
>dom0 swap. I don't see any clear advantage of
>making more LVs with separate mounting points

I agree.
BTW - for RAID1, install GRUB (or whatever
bootloader you are using) to the boot sectors of
both drives - that way the system can boot from
either drive. If you only install the bootloader
on one drive, if that fails then your system will
keep running but won't be able to boot.

>I plan to make new domU on additional LV in the
>same VG as dom0. Does it make sense ?

Yes, that's what I do.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

ditwal001 at gmail

Apr 30, 2012, 7:19 AM

Post #6 of 20 (1421 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

sorry here,

my comment should not be taken wrong and the concept to have one powerfull
server to handle most oft he services is absolutelly good too, we almost do
that here too.

first:
the probem i have, for ex, ist he firewall stuff, i mean in our point of
view, a firewall should be seperated by 2 nic's and i assume briged nic on a
xen will cause some difficulties with iptable! even i dont know how you
would quaranty security when all ip packages traverse the same nic!

second:
on powerfull server == one single point of failure! what about lvm
snapshots, where to put them, what to do if the server crashes, server down
time?

that what i wanted to say, for me the concept is missing. all your services
can be made easely with xen, windws domU, linux domU.

i would only suggest to consider of using at least 2 xen server, replicated
with drbd, but not remus! and in the very best case a third lowcost server
with disk space to copy lvm gziped snapshots over ssh daily or weekly.

thats it.

thanks walter

-----Original Message-----
From: xen-users-bounces [at] lists
[mailto:xen-users-bounces [at] lists] On Behalf Of Slawek Kosowski
Sent: Montag, 30. April 2012 12:58
To: xen-users [at] lists
Subject: Re: [Xen-users] Firewall in domU, networking in XEN

The concept is to buy one powerful dedicated machine and virtualize all the
rest.
@Walter can you clarify what's messy about this design ?

@Simon, thanks for advises
The reason why I have only one physical NIC is that, the server will be a
dedicated server collocated in the datacenter. Therefore, I don't see any
need to have additional NICs.

Question regarding the LVM.
I will dispose hardware RAID 1. I will create a volume group on the whole
disk. Then I will make 2 logical volumes, one for dom0 root and one for dom0
swap. I don't see any clear advantage of making more LVs with separate
mounting points unless I have big and bulky files to archive by making
snapshots. Simply by having only 2 LVs I decrease granularity, but
facilitate management. At the limit I can add new LVs and mount them to
specific locations (e.g. /usr or /var) copying the files from root LV.

I plan to make new domU on additional LV in the same VG as dom0. Does it
make sense ?

Thanks !
Slawek Kosowski

Dnia 30-04-2012 o godz. 11:28 Walter Robert Ditzler napisa�(a):
> hi slawek,
>
> 1 comment only so far, until u begin u should know what u want. all
> wished features can be set up by xen, no prpos but dhcp firewall ...
> with 1 nic ...
>
> that sound really mess'y
>
> not xen is here the nut, the overal concept!
>
> u want all services and all security with minimal hardware (nic).
>
> in switzland we say: u can have the bread and the 5p at the same time
> :)
>
> thanks walter
>

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

linux at thehobsons

Apr 30, 2012, 7:38 AM

Post #7 of 20 (1427 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

Walter Robert Ditzler wrote:

>first:
>the probem i have, for ex, ist he firewall stuff, i mean in our point of
>view, a firewall should be seperated by 2 nic's and i assume briged nic on a
>xen will cause some difficulties with iptable! even i dont know how you
>would quaranty security when all ip packages traverse the same nic!

In this case, the OP only has a NIC for outside (untrusted) traffic.
It's afor a hsoted server, so there is no physical network (ie other
computers, printers etc) to need a NIC. Since external and internal
traffic won't be sharing a NIC, it's not a problem.

He'll have two separate bridges (analogous to two separate physical
switches) for 'internal' and DMZ traffic, and either a third bridge
or PCI passthrough for the outside traffic.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

alk at ondore

Apr 30, 2012, 10:22 AM

Post #8 of 20 (1426 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

Hello.

The setup you just described looks good and it's pretty usable, we use
very similar ones here. Bridged network, OpenVPN, dnsmasq, nginx as
inverse HTTP proxy or rinetd (instead of port forwarding). We even use
set up approx for Debian repository caching and PXE to service the DomU's.

Simon Hobson just have made quite good suggestions, i don't have much to
add, except two details:

Request at least 2 external IP's from you provider, and give one of them
to your Dom0. Firewall it hardly, set up port knocking, whatever, but
leave yourself an emergency access via SSH directly to Dom0. One day
your domU firewall will stop responding, even after hard reboot, and you
will need a way to find out what's up. Also, if you provider can give
you access to his private network, it's useful to have access to the
IPMI interface (bad idea to expose it in Internet).

Consider a second NIC, as a internal interface. Grab cheap one, label it
with a big red warning "do not connect". It will be useful for setup
tests, and the internal bridge for Xen network will be more "standard"
from OS's point of view than a "dry" one. $3-$5 worth it.

--
Alexandre Kouznetsov

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

slawek.k_xl at wp

May 3, 2012, 1:50 AM

Post #9 of 20 (1408 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

Thank you all for responses.
The server will be a dedicated one. I'll have an access via KVMoverIP.
Snapshots will be rsynced to another VPN NAS or local NAS.

br
Slawomir

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

slawek.k_xl at wp

May 7, 2012, 1:09 AM

Post #10 of 20 (1380 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

I need to clarify the ethernet interface setting.
I found this link: http://old-list-archives.xen.org/archives/html/xen-users/2006-02/msg00602.html

Since I will have only one NIC at dom0 that I will passthrough to domU1, which interface do I choose for dom0 to be bridged with domU1 ?

I enclose the drawing in the attachment.
If I make a PCI passthrough for eth device, is it assigned to vif1.0 in domU1 ?
I understand that I make the bridges in domU0 ?

Thank you
Slawomir Kosowski

Attachments:

network.png (13.9 KB)

list at fajar

May 7, 2012, 1:18 AM

Post #11 of 20 (1385 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

On Mon, May 7, 2012 at 3:09 PM, S�awek Kosowski <slawek.k_xl [at] wp> wrote:
> I need to clarify the ethernet interface setting.
> I found this link: http://old-list-archives.xen.org/archives/html/xen-users/2006-02/msg00602.html
>
> Since I will have only one NIC at dom0 that I will passthrough to domU1, which interface do I choose for dom0 to be bridged with domU1 ?
>
> I enclose the drawing in the attachment.
> If I make a PCI passthrough for eth device, is it assigned to vif1.0 in domU1 ?
> I understand that I make the bridges in domU0 ?

Don't bother with PCI passthru. Seriously. Plus your comments indicate
you have never tried it before.

Think of dom0 like a L2 switch that supports vlan, and set it up as such:
- If you have more than 1 NIC, it's easier if you simply bond them
together for increased availability and throughput. In your case it
doesn't matter since you only have 1 NIC.
- create VLANs on the NIC, if possible. Of course your switch (or the
providers switch) must support trunk + VLAN configuration as well.
- create bridges on dom0 for each VLAN. If you don't use VLAN, then
you only need to have one bridge (for the physical NIC). Fori private
(i.e. dom0 <-> domU or domU <-> domU) networks, create bridges using
dummy interface.
- assign IP addresses on dom0 bridges as needed. If a bridge is used
only by a domU, then you don't need to assign IP on dom0 side.

--
Fajar

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

linux at thehobsons

May 7, 2012, 7:58 AM

Post #12 of 20 (1379 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

S�awek Kosowski wrote:
>I need to clarify the ethernet interface setting.
>I found this link:
>http://old-list-archives.xen.org/archives/html/xen-users/2006-02/msg00602.html
>
>Since I will have only one NIC at dom0 that I
>will passthrough to domU1, which interface do I
>choose for dom0 to be bridged with domU1 ?

None at all. You can have a bridge with no physical NICs assigned to it.

>I enclose the drawing in the attachment.
>If I make a PCI passthrough for eth device, is
>it assigned to vif1.0 in domU1 ?
>I understand that I make the bridges in domU0 ?

That would be Dom0, not DomU0.
If you passthrough the NIC to the firewall DomU
then it will appear as ETH<n> in DomU - there
will be no VIF associated with it.

On your drawing, delete "peth0" in Dom0 (it's in
the wrong place anyway BTW*), so "net" connects
directly to eth0 in Dom1. Dom0 will have an IP
address on br0 - ie br0 will be it's interface
when you do "ifconfig".

This is completely different to the technique in the post you link to.
If you delete peth1 from the diagram in that post
then you'll have more or less what you want - br1
and br2 are the internal bridges, and you connect
virtual machines (including Dom0) to whichever
you want. Again, for Dom0 you just give it an IP
address on br<n> and it will work.

Both methods will work, which you use is largely a matter of preference.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

cdelorme at gmail

May 7, 2012, 10:57 AM

Post #13 of 20 (1396 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

Hello Slawek,

I recently setup a Xen machine with a PFSense Router.

I tested two NIC's with passthrough and saw no change in intranet file
transfer speeds, so personally I wouldn't recommend that.

For the configuration you described in your first email, with a single NIC
entering the machine, and two separated internal networks for Virtual
Machine groups, you will need three if not four bridged connections in Dom0.

I was using Debian and created my bridges in the /etc/networking/interfaces
file. If you are working with the same, yours would look like this:

auto lo xenbr0 xenbr1 xenbr2
iface lo inet loopback
iface eth0 inet manual
iface xenbr0 inet manual
bridge_ports eth0
iface xenbr1 inet manual
iface xenbr2 inet manual

Your chain of connections would be similar to:

ISP Modem to eth0
eth0 Bridged to xenbr0
xenbr0 bridged to WAN on DomU1
xenbr1 bridged to LAN1 on DomU1
xenbr2 bridged to LAN2 on DomU1
xenbr1 bridged to DomU2
xenbr2 bridged to DomU3

If you want to add more services to either bridge, you just add
"bridge=xenbr#" in your network configuration files for any new HVM's.

In the configuration I provided, Dom0 does not have a connection, if you
want to give it an address on either network, change "manual" to "static"
or "dhcp" (static is controlled but requires additional lines).

My setup has Two NIC's with a switch, but only one internal network. My
interfaces is as follows:

auto lo xenbr0 xenbr1
iface lo inet loopback
iface eth0 inet manual
iface eth1 inet manual
iface xenbr0 inet manual
bridge_ports eth0
iface xenbr1 inet static
bridge_ports eth1
address 10.0.0.2
netmask 255.255.255.224
gateway 10.0.0.1

Note that I ran into a problem on Debian where the DNS file on the machine
(not interfaces, but I can't remember it off hand and am at work) did not
update the gateway, so I had to manually update it, or add more lines to
interfaces.

There may be more you will want to do on the eth0 bridge to secure it, but
I am not a security specialist just a tech enthusiast.

Hope that helps,

~Casey

On Mon, May 7, 2012 at 10:58 AM, Simon Hobson <linux [at] thehobsons>wrote:

> S�awek Kosowski wrote:
>
>> I need to clarify the ethernet interface setting.
>> I found this link: http://old-list-archives.xen.**
>> org/archives/html/xen-users/**2006-02/msg00602.html<http://old-list-archives.xen.org/archives/html/xen-users/2006-02/msg00602.html>
>>
>> Since I will have only one NIC at dom0 that I will passthrough to domU1,
>> which interface do I choose for dom0 to be bridged with domU1 ?
>>
>
> None at all. You can have a bridge with no physical NICs assigned to it.
>
>
> I enclose the drawing in the attachment.
>> If I make a PCI passthrough for eth device, is it assigned to vif1.0 in
>> domU1 ?
>> I understand that I make the bridges in domU0 ?
>>
>
> That would be Dom0, not DomU0.
> If you passthrough the NIC to the firewall DomU then it will appear as
> ETH<n> in DomU - there will be no VIF associated with it.
>
> On your drawing, delete "peth0" in Dom0 (it's in the wrong place anyway
> BTW*), so "net" connects directly to eth0 in Dom1. Dom0 will have an IP
> address on br0 - ie br0 will be it's interface when you do "ifconfig".
>
>
> This is completely different to the technique in the post you link to.
> If you delete peth1 from the diagram in that post then you'll have more or
> less what you want - br1 and br2 are the internal bridges, and you connect
> virtual machines (including Dom0) to whichever you want. Again, for Dom0
> you just give it an IP address on br<n> and it will work.
>
> Both methods will work, which you use is largely a matter of preference.
>
>
> --
> Simon Hobson
>
> Visit http://www.**magpiesnestpublishing.co.uk/<http://www.magpiesnestpublishing.co.uk/>for books by acclaimed
> author Gladys Hobson. Novels - poetry - short stories - ideal as
> Christmas stocking fillers. Some available as e-books.
>
> ______________________________**_________________
> Xen-users mailing list
> Xen-users [at] lists
> http://lists.xen.org/xen-users
>

slawek.k_xl at wp

May 10, 2012, 1:44 AM

Post #14 of 20 (1366 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

Thank you guys for help.
I like the idea of bridging eth0 with vif1.0 and then just bridging vif0.0 with vif1.1

The idea for custom network script for dom0 that will be referenced in /etc/xen/xend-config.sxp (probably incomplete and completely untested):
ip link set eth0 down
ip link set eth0 mac fe:ff:ff:ff:ff:ff arp off
# just bridge for domU1
brctl addbr xenbr0
brctl setfd xenbr0 0
brctl addif xenbr0 eth0
ip link set xenbr0 up
ip link set eth0 up

# bridge for loc
brctl addbr xenbr1
brctl setfd xenbr1 0
brctl addif xenbr1 vif0.0
ip link set xenbr1 up
ip link set vif0.0 up
ifconfig vif0.0 192.168.2.2

#bridge for dmz
brctl addbr xenbr2
brctl stp xenbr1 off
brctl setfd xenbr1 0
ip link set xenbr2 up

Then in domU1 config file I'll instantiate:

vif=[ 'bridge=xenbr0', 'mac=00:16:3e:07:d2:0e', 'bridge=xenbr1', 'mac=00:16:3e:07:d2:0f', 'bridge=xenbr2', 'mac=00:16:3e:07:d2:10' ]

What should be changed and how ?

Slawomir Kosowski

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

linux at thehobsons

May 10, 2012, 2:15 AM

Post #15 of 20 (1357 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

At 10:44 +0200 10/5/12, =?ISO-8859-2?Q?S=B3awek_Kosowski?= wrote:

>The idea for custom network script for dom0

Really, DON'T use network script - comment it out (ie don't use it at
all) and use the host OS tools. network script is deprecated and is a
hangover from the days when most distros didn't provide
easy/convenient tools for managing bridges.

Now that most distros have good tools for this, there isn't really
any need for Xen's network script - and using the OS tools means
you'll have a config that works even when booting the host OS without
Xen (eg for troubleshooting).

For example, in Debian you can (I think) do this in /etc/network/interfaces :

auto ethext
iface ethext inet static
bridge_ports eth0

auto ethint
iface ethint inet static
bridge_ports none
address 192.168.1.x
netmask 255.255.255.0
gateway 192.168.1.1

auto ethdmz
iface ethdmz inet static
bridge_ports none

If I've got it right, this will leave you with three bidges :

ethext has one member, the real NIC eth0. Dom0 has no access to it
(no IP address configured).

ethint has no physical NICs. Dom0 has an IP in this network.

ethdmz also has no physical NIC, and also no access to Dom0.

You'd start up your first DomU for the firewall with VIFs connected
to all three bridges. For all other DomUs you'd connect them to one
or both of ethint and ethdmz according to their requirements.

You can use whatever names you like instead of ethext, ethint, and
ethdmz. Personally I don't like using things like br0, br1, etc as
it's harder to keep track of what's what.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

Ian.Campbell at citrix

May 10, 2012, 6:01 AM

Post #16 of 20 (1354 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

On Thu, 2012-05-10 at 09:44 +0100, Sławek Kosowski wrote:
>
> vif=[ 'bridge=xenbr0', 'mac=00:16:3e:07:d2:0e', 'bridge=xenbr1',
> 'mac=00:16:3e:07:d2:0f', 'bridge=xenbr2', 'mac=00:16:3e:07:d2:10' ]

I haven't been following this thread so I don't have any comments on the
specifics of your proposal but just wanted to note that the syntax here
would actually be:
vif=[ 'bridge=xenbr0,mac=00:16:3e:07:d2:0e', 'bridge=xenbr1,mac=00:16:3e:07:d2:0f', 'bridge=xenbr2,mac=00:16:3e:07:d2:10' ]

BTW, you could actually name your bridges "dmz", "loc", etc.

Ian.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

slawek.k_xl at wp

May 14, 2012, 1:04 AM

Post #17 of 20 (1292 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

Thank you guys for helpful piece of advice :)

Best regards
SK

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

slawek.k_xl at wp

May 23, 2012, 3:56 AM

Post #18 of 20 (1253 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

For example, in Debian you can (I think) do this in /etc/network/interfaces :

auto ethext

iface ethext inet static

bridge_ports eth0

auto ethint

iface ethint inet static

bridge_ports none

address 192.168.1.x

netmask 255.255.255.0

gateway 192.168.1.1

auto ethdmz

iface ethdmz inet static

bridge_ports none

If I've got it right, this will leave you with three bidges :

ethext has one member, the real NIC eth0. Dom0 has no access to it

(no IP address configured).

ethint has no physical NICs. Dom0 has an IP in this network.

ethdmz also has no physical NIC, and also no access to Dom0.

Simon, I'm running again through what you've written, and I'm still missing several points:

1. I need to create a virtual interface in dom0 that will connect to ethint (giving an access to LOC). Should I create an alias to eth0 (eth0:1) ?

2. I cannot configure ethdmz in the way that you've shown. It works fine if I assign IP as in case ethint

3. How should I keep the configuration of eth0 if it won't have any IP (in dom0) - it will be bridged to domU1 ?

Should it be something like this:

auto eth0:0

iface eth0:0 inet manual

and then configure it normally (i.e. DHCP or static) in domU1 ?

Thanks for help

Slawomir

linux at thehobsons

May 23, 2012, 12:22 PM

Post #19 of 20 (1266 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

S�awek Kosowski wrote:

>1. I need to create a virtual interface in dom0
>that will connect to ethint (giving an access to
>LOC). Should I create an alias to eth0 (eth0:1) ?

No. You already have access to int from Dom0 - that's what the
address 192.168.1.x
netmask 255.255.255.0
gateway 192.168.1.1
bit of the config does for you. The bridge itself
becomes the interface in Dom0 - it should show as
ethint in the output from ifconfig.

>2. I cannot configure ethdmz in the way that
>you've shown. It works fine if I assign IP as in
>case ethint

The docs I found says it should work - not a
setup I've used personally. Perhaps someone else
can confirm if I've got the syntax correct.
Do you get an error message ? Just "nothing" ?
Does the bridge appear (brctl show) ?

>3. How should I keep the configuration of eth0
>if it won't have any IP (in dom0) - it will be
>bridged to domU1 ?
>
>Should it be something like this:
>
>auto eth0:0
>
> iface eth0:0 inet manual

No, you just don't configure it at all. It will
be bridged to a DomU and Dom0 will not have any
access.

Before starting any DomUs, brctl show should give something like :
bridge name bridge id STP enabled interfaces
ethext 8000.xxxxxxxxxxxx no eth0
ethint 8000.xxxxxxxxxxxx no
ethdmz 8000.xxxxxxxxxxxx no

After starting the first DomU as your firewall
device, you should see it change to something
like :
ethext 8000.xxxxxxxxxxxx no vifa.b
eth0
ethint 8000.xxxxxxxxxxxx no vifa.c
ethdmz 8000.xxxxxxxxxxxx no vifa.d

Not too sure about the "vifa.b" stuff, I give my
DomUs explicit interface names, so I might see :
ethext 8000.xxxxxxxxxxxx no fwext
eth0
ethint 8000.xxxxxxxxxxxx no fwint
ethdmz 8000.xxxxxxxxxxxx no fwdmz

Eg, in the config for my firewall DomU, I might have something like :
vif = [ 'bridge=ethext,vifname=fwext',
'bridge=ethint,vifname=fwint',
'bridge=ethdmz,vifname=fwdmz' ]

I just like having meaningful names - makes
things easier when you have a few VMs running. On
the other hand, it causes some confusion when
cloning a VM and I forget to change the names !

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

slawek.k_xl at wp

May 24, 2012, 1:05 AM

Post #20 of 20 (1249 views)
Permalink

Re: Firewall in domU, networking in XEN [In reply to]

> S�awek *Kosowski* wrote:
>
> 1. I need to create a virtual interface in dom0 that will connect to
> ethint (giving an access to LOC). Should I create an alias to eth0
> (eth0:1) ?
>
> No. You already have access to int from Dom0 - that's what the address
> 192.168.1.x netmask 255.255.255.0 gateway 192.168.1.1 bit of the
> config does for you. The bridge itself becomes the interface in Dom0 -
> it should show as ethint in the output from ifconfig.
>
That works fine. So I understand that this is an interface configuration
with possibility of bridging other ports, right ? (something like
configured interface directly connected to switch where no other
interfaces are connected)? This is not the configuration of bridge
itself, since L2 bridge cannot have its own IP address (however, I know
that I can assign an IP address in linux which does not make sense at
this point) ?
>
> 2. I cannot configure ethdmz in the way that you've shown. It works
> fine if I assign IP as in case ethint
>
> The docs I found says it should work - not a setup I've used
> personally. Perhaps someone else can confirm if I've got the syntax
> correct. Do you get an error message ? Just "nothing" ? Does the
> bridge appear (brctl show) ?
>
I get:
Don't seem to have all the variables for ethdmz/inet.
Failed to bring up ethdmz.
It's working fine when I change static to manual

bridge name bridge id STP enabled interfaces
ethdmz 8000.000000000000 no
>
> 3. How should I keep the configuration of eth0 if it won't have any IP
> (in dom0) - it will be bridged to domU1 ?
>
> Should it be something like this:
>
> auto eth0:0
>
> iface eth0:0 inet manual
>
> No, you just don't configure it at all. It will be bridged to a DomU
> and Dom0 will not have any access.
>
So I delete the default eth0 configuration from /etc/network/interfaces ?
>
> Before starting any DomUs, brctl show should give something like :
> bridge name bridge id STP enabled interfaces ethext 8000.xxxxxxxxxxxx
> no eth0 ethint 8000.xxxxxxxxxxxx no ethdmz 8000.xxxxxxxxxxxx no
>
> After starting the first DomU as your firewall device, you should see
> it change to something like : ethext 8000.xxxxxxxxxxxx no vifa.b eth0
> ethint 8000.xxxxxxxxxxxx no vifa.c ethdmz 8000.xxxxxxxxxxxx no vifa.d
>
> Not too sure about the "vifa.b" stuff, I give my DomUs explicit
> interface names, so I might see : ethext 8000.xxxxxxxxxxxx no fwext
> eth0 ethint 8000.xxxxxxxxxxxx no fwint ethdmz 8000.xxxxxxxxxxxx no fwdmz
>
> Eg, in the config for my firewall DomU, I might have something like :
> vif = [ 'bridge=ethext,vifname=fwext', 'bridge=ethint,vifname=fwint',
> 'bridge=ethdmz,vifname=fwdmz' ]
>
> I just like having meaningful names - makes things easier when you
> have a few VMs running. On the other hand, it causes some confusion
> when cloning a VM and I forget to change the names !
>
>
Sounds good, thanks !
Slawomir Kosowski

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads