Mark Clarke
2007-Apr-22 10:13 UTC
shorewall Dom0 config using Xen''s default setup -- correct?
Hi all, The first couple of xen machines we setup used the default xen bridging setup for dom0. I am sure there are many other people out there with this setup. Now that I know a bit more there are probably better ways out there to configure the xen box for firewalling, most notably assigning the red card to a domU and running shorewall in there. But in the meantime I would like to further secure the machines with the default xen setup. I have been reading the guide on the shorewall site and got help from Tom. With the new mental model I have I have come up with the following config for dom0 xen with bridging. The aim is to protect the Dom0 and the domUs from within dom0. This is for a box where all virtual machines have public ips including dom0 as it is in a data-center but can also be used for a server sitting in a DMZ except for the norfc1918 option. Thanks zones ====fw firewall xen ipv4 dmz ipv4 net ipv4 interfaces ==========- xenbr0 - net eth0 detect norfc1918 hosts ===== xen xenbr0:vif0.0 dmz xenbr0:vif+ routeback net xenbr0:peth0 policy ====== fw all ACCEPT xen all ACCEPT dmz all ACCEPT net xen REJECT info net dmz REJECT info net net NONE all all REJECT info rules =====ACCEPT net dmz udp domain ACCEPT net dmz tcp www,smtp,ftp Trcrt/ACCEPT net dmz ACCEPT net xen tcp ssh ACCEPT net fw tcp ssh ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep
2007-Apr-23 22:16 UTC
Re: shorewall Dom0 config using Xen''s default setup -- correct?
Mark Clarke wrote:> Hi all, > > The first couple of xen machines we setup used the default xen bridging > setup for dom0. I am sure there are many other people out there with > this setup. Now that I know a bit more there are probably better ways > out there to configure the xen box for firewalling, most notably > assigning the red card to a domU and running shorewall in there. > > But in the meantime I would like to further secure the machines with the > default xen setup. I have been reading the guide on the shorewall site > and got help from Tom. With the new mental model I have I have come up > with the following config for dom0 xen with bridging. The aim is to > protect the Dom0 and the domUs from within dom0. > > This is for a box where all virtual machines have public ips including > dom0 as it is in a data-center but can also be used for a server sitting > in a DMZ except for the norfc1918 option. > > Thanks > > zones > ====> fw firewall > xen ipv4 > dmz ipv4 > net ipv4 > > interfaces > ==========> - xenbr0 - > net eth0 detect norfc1918 > > hosts > =====> > xen xenbr0:vif0.0 > dmz xenbr0:vif+ routeback > net xenbr0:peth0Beware that the above zone configuration will stop working forever when you upgrade to kernel 2.6.20. This is another reason to avoid firewalling in a bridged Xen Dom0.> > policy > ======> > fw all ACCEPT > xen all ACCEPT > dmz all ACCEPT > net xen REJECT infoI think the above policy is silly -- better: all xen ACCEPT net fw REJECT info That avoids the need in your rules file to duplicate your net->fw rules.> net dmz REJECT info > net net NONE > all all REJECT info > > > rules > =====> ACCEPT net dmz udp domain > ACCEPT net dmz tcp > www,smtp,ftp > Trcrt/ACCEPT net dmz > ACCEPT net xen tcp ssh > ACCEPT net fw tcp ssh >-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/