>> I am considering running several virtual servers on one box, all
>> linux for host and virtual machines using VirtualBox.
>>
>> Is it possible/advisable to configure shorewall on the host to act
>> as a firewall for the virtual machines, each having one or more
>> static public IP address?
>
> I run Shorewall on hosts with numerous OpenVZ and KVM guests. For
> full hardware virt, I strongly recommend a supported hypervisor (KVM
> or Xen) managed by libvirt.
The original question has been one that''s been keeping me busy forever
so I''ll just share some of my ideas. But beware: they are
always in flux and never complete, you''ll see what I mean :)
I have been using virtualisation since somewhere in 2008 and for a
pretty long while now I am using ''plain Xen''. Really good
results
performance wise and I appreciate the separation of hypervisor and OS
(plural). I wanted to keep dom0 as "dumb" as possible so managing domU
hardware, starting/stopping clients, that kind of thing but nothing
more.
The host (dom0) runs openvswitch, quote: "a production quality,
multilayer virtual switch licensed under the open source Apache 2.0
license." It looks like this will be included in Linux kernel 3.3.
With it one can create any number of virtual bridges and they a lot
more control than generic Linux bridges. Openvswitch seems to support
VLAN and QinQ but I''ll skip this lest I will make it too obvious that
I''m just repeating what the label says... I''ll admit that I
know zilch
about VLAN.
Now when I say ''bridge'' I mean something that is only visible
in dom0.
None of the domU''s see any bridge, they just see their own nic i.e.
eth0, maybe eth1. On this system I am making use of pfsense but sure,
you can use Shorewall with ease. Before illustrating it I''ll describe
it some more, the idea here is - one subnet per bridge; one
firewall nic per subnet; and one subnet has either a single client or
multiple clients.
Dom0''s eth0 is a port on an ovs bridge and so is the
firewall''s
virtual nic That means that you see data center traffic on the
firewall''s eth0 port.
Then, In the case of multiple clients on one bridge, this can be
192.168.1.0/24. This subnet can have multiple "virtual workstations"
that are free to talk with each other by design. They all share one
bridge, invisible to them, on which the domU firewall also resides. If
you need client firewalling here then it must be setup by the client.
Although it''s even better if people learn to simply not bind services
to the wildcard or LAN IP if they shouldn''t be reachable.
A single client per bridge is for hosts that are reachable on globally
reachable IP addresses. Rule of thumb: One public address is regarded
as one subnet thus its own bridge. This makes it a lot harder to reach
other hosts because they will have to do it through the firewall.
That''s why I don''t simply hook all of them onto one bridge.
So: global IP -> 1:1 NAT translation -> /31 (PtP) subnet.
Here''s the diagram, simple and ugly so hereby declared public domain
(hehe). Here I try to illustrate the geste. One dom0, one dedicated
firewall, three "workstations", four publicly reachable servers = nine
servers on the same metal.
http://imgur.com/cwClE
In my case the domU''s are not meant to all run as fully configured
web/mail/database servers. Each server is quite narrow in scope,
compare it to FreeBSD with jails on steroids where one jail runs a
webserver and the other a mail hub.
I hope this is of some benefit to OP and I also would appreciate to
learn quirks, holes or stupidities of this approach, networking or
otherwise because I am still looking to improve this scheme. Can I
benefit from ''virtual VLANs?'' Unless the list admin frowns on
the
discussion of this due to off topic nature... in which case
''reply''
will still do rather than ''reply all.'' :)
Mark
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d