I currently have a Xen host server setup with three nics: eth0 -> hidden from Dom0 and assigned to my firewall domU eth1 -> assigned the the bridge br-lan0, which is then exported to the firewall domU for my LAN (handles both domUs and real machines on the LAN subnet) eth2 -> assigned to the bridge br-dmz0, which is then exported to the firewall domU for my DMZ (handles both domUs and real machines on the DMZ subnet) My problem is this: I would like to be able to log into my Dom0 remotely, but do not want to put a 4th NIC in place to accomplish this; I''d rather do something like log into my firewall domU then from there SSH into Dom0, OR SSH to a different port and have the firewall domU port forward to the Dom0 I was thinking I may be able to accomplish this by using a dummy interface on both the Dom0 and the domU firewall that are tied together, but wasn''t sure about how to configure this? Would I give the dummy interface on the Dom0 an IP address then create a dummy interface on the firewall domU on the same subnet and put appropriate routing rulesin place? (I use Shorewall) Or is there a better way to accomplish this? Thanks, in advance, for your advice. -Alan _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, 2005-12-15 at 23:33 -0800, Alan Murrell wrote:> I currently have a Xen host server setup with three nics: > > eth0 -> hidden from Dom0 and assigned to my firewall domU > eth1 -> assigned the the bridge br-lan0, which is then exported to the > firewall domU for my LAN (handles both domUs and real machines on the LAN > subnet) > eth2 -> assigned to the bridge br-dmz0, which is then exported to the > firewall domU for my DMZ (handles both domUs and real machines on the DMZ > subnet) > > My problem is this: I would like to be able to log into my Dom0 remotely, but > do not want to put a 4th NIC in place to accomplish this; I''d rather do > something like log into my firewall domU then from there SSH into Dom0, OR > SSH to a different port and have the firewall domU port forward to the Dom0 > > I was thinking I may be able to accomplish this by using a dummy interface on > both the Dom0 and the domU firewall that are tied together, but wasn''t sure > about how to configure this? Would I give the dummy interface on the Dom0 an > IP address then create a dummy interface on the firewall domU on the same > subnet and put appropriate routing rulesin place? (I use Shorewall) Or is > there a better way to accomplish this? > > Thanks, in advance, for your advice. ><snip> A quick thought is to do it via VPN. Expose the Dom0 to the internal network but use iptables to restrict virtually all traffic to the Dom0 and then allow only ssh coming off of an IPSec tunnel to be allowed to go from the firewall to the Dom0 - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com If you would like to participate in the development of an open source enterprise class network security management system, please visit http://iscs.sourceforge.net _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi John, On Friday 16 December 2005 09:19, John A. Sullivan III wrote:> A quick thought is to do it via VPN. Expose the Dom0 to the internal > network but use iptables to restrict virtually all traffic to the Dom0 > and then allow only ssh coming off of an IPSec tunnel to be allowed to > go from the firewall to the Dom0 - JohnIf Dom0 doesn''t have a physical interface, how would I expose it to the internal network? Or are you suggesting I should add a 4th NIC? I was thinking I might be able to use a dummy interface on Dom0, but couldn''t figure out how to put it on the internal network, unless it''s possible to add it to the br-lan0 bridge with an IP already on it...? Alternatively, is it possible to add a dummy interface on both the firewall domain and Dom0, and somehow tie them together via VPN? -Alan _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wed, Dec 21 ''05 at 07:19, Alan Murrell wrote:> > A quick thought is to do it via VPN. Expose the Dom0 to the internal > > network but use iptables to restrict virtually all traffic to the Dom0 > > and then allow only ssh coming off of an IPSec tunnel to be allowed to > > go from the firewall to the Dom0 - John > > If Dom0 doesn''t have a physical interface, how would I expose it to the > internal network? Or are you suggesting I should add a 4th NIC?Without going back into the archive, but I think onone has come up with it: You can always give the bridge interface an IP, than you can use it from Dom0 like if it was a regular interface. I''m currently running a Xen3 amd64 server with three bridges: - xenbr0: with the real eth0, and a vif from a firewall domU - privbr: one vif from the firewall, and vifs from some domU. All interfaces on this bridge use 192.168.x.y IPs. this one also has an IP on it''s own, so the Dom0 can be accessed - pubbr: one vif form the firewall, vifs from some domUs all with public IPs. The firewall is doing routing between xenbr0 and pubbr. I''m also runnign a VPN domU that allows me to access the network on privbr. Works fine so far. -- /"\ Goetz Bock at blacknet dot de -- secure mobile Linux everNETting \ / (c) 2005 Creative Commons, Attribution-ShareAlike 2.0 de X [ 1. Use descriptive subjects - 2. Edit a reply for brevity - ] / \ [ 3. Reply to the list - 4. Read the archive *before* you post ] _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Fri, 2005-12-23 at 08:55 +0100, Goetz Bock wrote:> On Wed, Dec 21 ''05 at 07:19, Alan Murrell wrote:<snip>> > You can always give the bridge interface an IP, than you can use it from > Dom0 like if it was a regular interface. > > I''m currently running a Xen3 amd64 server with three bridges: > > - xenbr0: with the real eth0, and a vif from a firewall domU > - privbr: one vif from the firewall, and vifs from some domU. All > interfaces on this bridge use 192.168.x.y IPs. this one also > has an IP on it''s own, so the Dom0 can be accessed > - pubbr: one vif form the firewall, vifs from some domUs all with public > IPs. > > The firewall is doing routing between xenbr0 and pubbr. I''m also runnign > a VPN domU that allows me to access the network on privbr. > > Works fine so far.Just as a suggestion, I always cringe to put any device other than a firewall directly on the Internet with public IPs especially a domU just in case someone, somewhere, someday figures out how to crack into the other domUs or dom0 from a compromised domU. I would generally put the public servers on yet one more bridge as a DMZ with private addresses and protect them via the firewall so that only needed services are allowed - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com If you would like to participate in the development of an open source enterprise class network security management system, please visit http://iscs.sourceforge.net _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Friday 23 December 2005 07:03, John A. Sullivan III wrote:> Just as a suggestion, I always cringe to put any device other than a > firewall directly on the Internet with public IPs especially a domU justIn my case, I have a DomU acting as my firewall :-) To do remote management of the Dom0, I took rupi''s suggestion and created a third bridge on my Dom0, but gave it an IP. I then exported the bridge to my firewall domU where it became a 4th interface, "eth3". I then gave this new interface on the firewall an IP on the same subnet as the "administrative" bridge I createdon Dom0, and now I can ssh into the Dom0 from the firewall domU. My configuration now looks like this: On Dom0 (Debian Sarge): /etc/internet/interfaces auto br-lan0 br-dmz0 br-adm0 # LAN bridge interface br-lan0 inet manual bridge_ports eth0 # DMZ bridge interface br-dmz0 inet manual bridge_ports eth1 # Administration bridge interface br-adm0 inet static address 10.253.3.2 netmask 255.255.255.0 bridge_ports dummy0 /etc/xen/01_fw01 ... nics = 3 vif = [ ''mac=aa:00:00:11:e2:d1,bridge=br-lan0'', ''mac=aa:00:00:11:e2:d2,bridge=br-dmz0'', ''mac=aa:00:00:11:e2:d3,bridge=br-adm0'' ] ... And on the firewall DomU, I just simply configure networking as I normally would (using the OS''s networking config files; I use Mandriva in this case) eth0 -> Internet interface, gets IP from ISP (also a physical interface hidden from Dom0) eth1 -> LAN interface, 10.253.1.1 eth2 -> DMZ interface, 10.253.2.1 eth3 -> administrative interface for Dom0, 10.253.3.1 and so far it all works rather nicely. The firewall DomU of course has restrictive firewall rules on it about what is allowed to access Dom0 from the network I hope this can help someone else out. I am in the process of writing a "recipe" for my setup and will likely post it once done, but I am not sure on its ETA. Everything I did was pretty much pieced together form other posts on the list as well as helpful advice from others. -Alan _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users