Is it possible with Xen to construct something like the following scenario. Free/NetBSD (*) domU server running pf or Linux/iptables, acting as a routing or bridging firewall for all the other domU guests? Further more create virtual DMZ and internal services. You''d probably keep the dom0 instance otherside this setup, with its own filtering arrangement. For instance, you have a subnet 192.168.1.0/24. Put the dom0 on 192.168.1.254. Have the firewall router domU running on 192.168.1.1 and acting as the gateway for all the other machines on the subnet. (*) This is my dream, using pf for security and debian for serving the applications. ;) Nicholas ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> Is it possible with Xen to construct something like the following scenario. > > Free/NetBSD (*) domU server running pf or Linux/iptables, acting as a > routing or bridging firewall for all the other domU guests? Further more > create virtual DMZ and internal services. > > You''d probably keep the dom0 instance otherside this setup, with its own > filtering arrangement. >If you give direct network device access to first domU you can set-up your scheme fairly easily. Otherwise (in the standard setup) dom0 will be handling all the incomming/outgoing traffic with no involvment from first domU (so no firewall possible there). Cheers Gregor> For instance, you have a subnet 192.168.1.0/24. Put the dom0 on > 192.168.1.254. Have the firewall router domU running on 192.168.1.1 and > acting as the gateway for all the other machines on the subnet. > > > (*) This is my dream, using pf for security and debian for serving the > applications. ;) > > Nicholas > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting > Tool for open source databases. Create drag-&-drop reports. Save time > by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. > Download a FREE copy at http://www.intelliview.com/go/osdn_nl > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xen-devel-- Quidquid latine dictum sit, altum viditur --- Anon ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
On 21 Jan 2005, at 14:55, Grzegorz Milos wrote:>> Is it possible with Xen to construct something like the following >> scenario. >> >> Free/NetBSD (*) domU server running pf or Linux/iptables, acting as a >> routing or bridging firewall for all the other domU guests? Further >> more >> create virtual DMZ and internal services. >> >> You''d probably keep the dom0 instance otherside this setup, with its >> own >> filtering arrangement. >> > > If you give direct network device access to first domU you can set-up > your > scheme fairly easily. Otherwise (in the standard setup) dom0 will be > handling > all the incomming/outgoing traffic with no involvment from first domU > (so no > firewall possible there).How? I thought all network traffic must pass through domain0 in first instance. How do you give a domainU instance direct access to a network interface, like eth1? I''m currently using a bridge, xen-br0, attached to eth1, and domainU attached to xen-br0. How can I configure domainU to attach to eth1 directly? ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
Felipe Alfaro Solana wrote:> How? I thought all network traffic must pass through domain0 in first > instance. How do you give a domainU instance direct access to a network > interface, like eth1? I''m currently using a bridge, xen-br0, attached to > eth1, and domainU attached to xen-br0. How can I configure domainU to > attach to eth1 directly?You have to give domU permission to access your phisical NIC device. It''s described somewhere in the manual, iirc. -jkt -- cd /local/pub && more beer > /dev/mouth ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
Jan Kundrát wrote:> phisicaloops :-), forgive me, but it''s friday afternoon :-) -jkt -- cd /local/pub && more beer > /dev/mouth ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
You might also want to checkout ebtables (http://ebtables.sourceorge.net) On Fri, 21 Jan 2005 16:08:00 +0100, Jan Kundrát <jan.kundrat@fzu.cz> wrote:> Jan Kundrát wrote: > > phisical > > oops :-), forgive me, but it''s friday afternoon :-) > > -jkt > > -- > cd /local/pub && more beer > /dev/mouth > > ------------------------------------------------------- > This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting > Tool for open source databases. Create drag-&-drop reports. Save time > by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. > Download a FREE copy at http://www.intelliview.com/go/osdn_nl > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xen-devel >------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
On Fri, 21 Jan 2005 13:55:35 +0000 Grzegorz Milos <gm281@hermes.cam.ac.uk> wrote:> > Is it possible with Xen to construct something like the following scenario. > > > > Free/NetBSD (*) domU server running pf or Linux/iptables, acting as a > > routing or bridging firewall for all the other domU guests? Further more > > create virtual DMZ and internal services.I''ve done it and it''s running since two or three month at home and it seems to work ...> > > > You''d probably keep the dom0 instance otherside this setup, with its own > > filtering arrangement. > > > > If you give direct network device access to first domU you can set-up your > scheme fairly easily. Otherwise (in the standard setup) dom0 will be handling > all the incomming/outgoing traffic with no involvment from first domU (so no > firewall possible there).Not sure see my setup: i''ve two cards in dom0 :eth0 and eth1, eth1 is linked to my xdsl modem, eth0 to a switch for other physical machines, eth0 is also shared with other xenU domains (thoses who are consciderated to be after the firewall). br0 encapsulate eth0, one of the virtual network card of my firewall (the one consciderated filtred) and other xenU virtual network card br1 encapsulate eth1 and the other virtual network card My basic idea was not to configure eth1 at all, i thought that if the interface is not activated there is no chance of attacking xen0. It tunrns that in order to have the packet directed to xenFirewall-input, i must do if config eth1 up. By doing this way, i must say that i feel less confortable but i still have faith (and some iptables rules in dom0). In order to feel secure i''ve activated the antispoof options, but as it was broken for me i tweak a little the rules ... if someone is intrested i can post my script and give some explanations. I must say that i''m planning to switch to a solution where my eth1 is directly exported in xenFirewall.> > Cheers > Gregor > > > For instance, you have a subnet 192.168.1.0/24. Put the dom0 on > > 192.168.1.254. Have the firewall router domU running on 192.168.1.1 and > > acting as the gateway for all the other machines on the subnet. > > > > > > (*) This is my dream, using pf for security and debian for serving the > > applications. ;)HTH ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> In order to feel secure i''ve activated the antispoof options, > but as it was > broken for me i tweak a little the rules ... if someone is > intrested i can post > my script and give some explanations.That would be useful. Thanks, Ian ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
On Mon, Jan 24, 2005 at 12:12:00AM +0100, Matthieu PATOU wrote:> On Fri, 21 Jan 2005 13:55:35 +0000 > Grzegorz Milos <gm281@hermes.cam.ac.uk> wrote: > > > > Is it possible with Xen to construct something like the following scenario. > > > > > > Free/NetBSD (*) domU server running pf or Linux/iptables, acting as a > > > routing or bridging firewall for all the other domU guests? Further more > > > create virtual DMZ and internal services. > I''ve done it and it''s running since two or three month at home and it seems to > work ...For the comments below I assume you are using Linux as your firewall OS.> Not sure see my setup: > i''ve two cards in dom0 :eth0 and eth1, eth1 is linked to my xdsl modem, eth0 to > a switch for other physical machines, eth0 is also shared with other xenU > domains (thoses who are consciderated to be after the firewall). > br0 encapsulate eth0, one of the virtual network card of my firewall (the one > consciderated filtred) and other xenU virtual network card > br1 encapsulate eth1 and the other virtual network cardSo in a sense you''ve put your virtual servers on the same network as some of your internal machines.> My basic idea was not to configure eth1 at all, i thought that if the interface > is not activated there is no chance of attacking xen0. > It tunrns that in order to have the packet directed to xenFirewall-input, i must > do if config eth1 up.I''ve been thinking that the following similar method is possible, without resorting to giving physical device access to a domU. Basically the same as above, except I''ll just have a virtual eth1. Put dom0 and a virtual NIC for the firewall (domU1-eth0 say) on br0/eth0. Put domU1-veth1, and all the other domUs on br, and all the other domUs on br1. Then setup domU1 as a bridging firewall. Admin domU1, either via the console from dom0 or setup a third private internal accessible from dom0 or a management VPN. So there are three bridges. Not sure how well it would perform, or whether the net/freebsd virtual NIC drives can hande this scenario. It seems workable though. Pf+altq, are by far much nicer than iptables. Nicholas ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> > For the comments below I assume you are using Linux as your firewall OS. >That''s right ...> > Not sure see my setup: > > i''ve two cards in dom0 :eth0 and eth1, eth1 is linked to my xdsl > > modem, eth0 to a switch for other physical machines, eth0 is also > > shared with other xenU domains (thoses who are consciderated to be > > after the firewall). br0 encapsulate eth0, one of the virtual network > > card of my firewall (the one consciderated filtred) and other xenU > > virtual network card br1 encapsulate eth1 and the other virtual > network card > So in a sense you''ve put your virtual servers on the same network as > some of your internal machines. >Yes, that''s right but is it a problem ?>From a simple user point of view the virtual server which are after thefirewall should another server.> > My basic idea was not to configure eth1 at all, i thought that if the > > interface is not activated there is no chance of attacking xen0. > > It tunrns that in order to have the packet directed to > > xenFirewall-input, i must do if config eth1 up. > > I''ve been thinking that the following similar method is possible, without > resorting to giving physical device access to a domU. > > Basically the same as above, except I''ll just have a virtual eth1. > > Put dom0 and a virtual NIC for the firewall (domU1-eth0 say) on br0/eth0. > Put domU1-veth1, and all the other domUs on br, and all the other domUs > on br1. Then setup domU1 as a bridging firewall. Admin domU1, either via > the console from dom0 or setup a third private internal accessible from > dom0 or a management VPN. > >Quite complicated ? it seems that you ''re relying on the fact your inbound traffic will go to the eth0 trought you''re firewall (trough dom1 in fact). I''m quite afraid about the fact that some packet cleverly forged can go trough dom0 without going trough dom1.> > So there are three bridges. Not sure how well it would perform, or > whether the net/freebsd virtual NIC drives can hande this scenario. It > seems workable though. > Pf+altq, are by far much nicer than iptables.Not an expert in freebsd, better be sure than experimenting when talking about security. ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
On Tue, Jan 25, 2005 at 06:27:09PM +0100, Matthieu wrote:> > So in a sense you''ve put your virtual servers on the same network as > > some of your internal machines. > > > Yes, that''s right but is it a problem ?No, only if you don''t have a physical internal network. Like a machine in a colo.> Quite complicated ? it seems that you ''re relying on the fact your inbound > traffic will go to the eth0 trought you''re firewall (trough dom1 in fact). > I''m quite afraid about the fact that some packet cleverly forged can go > trough dom0 without going trough dom1.Relying on the way briding works. The internal hosts are on a seperate bridge from the the external dom0. The domU1 bridge will need to be tranversed for traffice to go from the external bridge to the internal bridge. If it doesn''t work like that, then bridging is broken. Think of each bridge as a switch, with domU1 being a smart switch. Connecting a host to each switch by adding one of its interfaces to the bridge is like joining two switch by a crossover cable. If there is no direct cable between the external and internal bridges, but they have to instead tranverse the bridging firewall switch then everything is as it should be. Nicholas ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
On Sun, 23 Jan 2005 23:15:29 -0000 "Ian Pratt" <m+Ian.Pratt@cl.cam.ac.uk> wrote:> > In order to feel secure i''ve activated the antispoof options, > > but as it was > > broken for me i tweak a little the rules ... if someone is > > intrested i can post > > my script and give some explanations. > > That would be useful. >See the attached files, in order to work i put some rules : vifx.0 must be bridged to xen-br0 (it correspond to the output of the firewall) in order to be really accessible (some iptables rules are juste added line 79 and 80 for vifx.0 and not for other vif).
Are you sure your new scripts actually still implement the antispoof feature of ensuring that the guest can only send packets using its allocated IP? It looks to me like they''re too lax. Ian> -----Original Message----- > From: Matthieu PATOU [mailto:matxen@matws.net] > Sent: 26 January 2005 21:12 > To: Ian Pratt > Cc: xen-devel@lists.sourceforge.net > Subject: Re: [Xen-devel] Bridging firewall? > > On Sun, 23 Jan 2005 23:15:29 -0000 > "Ian Pratt" <m+Ian.Pratt@cl.cam.ac.uk> wrote: > > > > In order to feel secure i''ve activated the antispoof options, > > > but as it was > > > broken for me i tweak a little the rules ... if someone is > > > intrested i can post > > > my script and give some explanations. > > > > That would be useful. > > > See the attached files, in order to work i put some rules : > vifx.0 must be bridged to xen-br0 (it correspond to the > output of the firewall) > in order to be really accessible (some iptables rules are > juste added line 79 > and 80 for vifx.0 and not for other vif). > >------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> > Are you sure your new scripts actually still implement the antispoof > feature of ensuring that the guest can only send packets using its > allocated IP? It looks to me like they''re too lax.The modification into /etc/xen/scripts/network and /etc/xen/script/vif-bridge are just to have a functionnal antispoof when you have two bridge but all the firewalling is done into xenU-firewall a domain connected with vif1.0 connected to xen-br0 (the secure network) and vif1.1 connected to xen-br1 (the outside ) Is it more clear ? i don''t think that my modification the scripts are that clever ... my 2 cent files !> > Ian >------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel