Hi all, I''ve been reading up on the xen networking options / differences as written in http://wiki.kartbuilding.net/index.php/Xen_Networking and see a couple of examples that interest me like the (default) bridging but also the routed networking. However, the thing I''m most interested in would be transparant network bridging like a firewall bridge where the bridging host (dom0) has no exposed IP address to the outside world and is only accessible through the console or a completely separate management interface (eth1, not accessible from any of the domU''s) Since dom0 has no IP interface exposed to the outside but only acts as a bridge from the outside to the domU''s, that would make the dom0 a bit more secure. Would such a implementation be feasible or does the dom0 network interface always have to have an IP stack for the bridging to work? Regards, Jeroen Kleijer _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Tue, Apr 08, 2008 at 05:50:56PM +0200, Jeroen Kleijer wrote:> Hi all, > > I''ve been reading up on the xen networking options / differences as > written in http://wiki.kartbuilding.net/index.php/Xen_Networking and > see a couple of examples that interest me like the (default) bridging > but also the routed networking. > > However, the thing I''m most interested in would be transparant network > bridging like a firewall bridge where the bridging host (dom0) has no > exposed IP address to the outside world and is only accessible through > the console or a completely separate management interface (eth1, not > accessible from any of the domU''s) > > Since dom0 has no IP interface exposed to the outside but only acts as > a bridge from the outside to the domU''s, that would make the dom0 a > bit more secure. > > Would such a implementation be feasible or does the dom0 network > interface always have to have an IP stack for the bridging to work?The IP interface doesn''t have to have an IP address, just be up, but I don''t know if such configuration is supported by xen''s network configuration scripts. -- lfr 0/0 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Luciano Rocha wrote on Tue, 8 Apr 2008 17:04:54 +0100:> The IP interface doesn''t have to have an IP address, just be up, but I > don''t know if such configuration is supported by xen''s network > configuration scripts.I know that you can assign a private IP address to Dom0 and it still works for public addresses on DomU. I don''t know if it works compeltely without Ip address. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Jeroen, Jeroen Kleijer wrote:> However, the thing I''m most interested in would be transparant network > bridging like a firewall bridge where the bridging host (dom0) has no > exposed IP address to the outside world and is only accessible through > the console or a completely separate management interface (eth1, not > accessible from any of the domU''s) > > Since dom0 has no IP interface exposed to the outside but only acts as > a bridge from the outside to the domU''s, that would make the dom0 a > bit more secure.Absolutely. This is the setup I use myself. I have a two interface firewall in a domU.> Would such a implementation be feasible or does the dom0 network > interface always have to have an IP stack for the bridging to work?A network interface doesn''t have to have an IP address to be in use, regardless if it is connected to a bridge or not. This is how I set up the interfaces on the dom0: # egrep -v "^(#|$)" /etc/network/interfaces auto lo iface lo inet loopback allow-hotplug eth0 iface eth0 inet static address 192.168.221.4 netmask 255.255.255.0 gateway 192.168.221.2 Note that I don''t even bother to mention eth1, the external interface. It doesn''t get an IP. I followed this example: <http://wiki.xensource.com/xenwiki/XenNetworking#head-7b845eda5e0154fecb98165adbd774f6168119d1> ... which recommended to create a custom network script: # cat /etc/xen/scripts/my-network-script #!/bin/sh dir=$(dirname "$0") "$dir/network-bridge" "$@" vifnum=0 "$dir/network-bridge" "$@" vifnum=1 ... which is then used by xen: # egrep -v "^(#|$)" /etc/xen/xend-config.sxp (network-script my-network-script) (vif-script vif-bridge) (dom0-min-mem 196) (dom0-cpus 0) And finally, the firewall domU is configured like this: # egrep -v "^(#|$)" /etc/xen/zack.cfg kernel = ''/boot/vmlinuz-2.6.18-5-xen-686'' ramdisk = ''/boot/initrd.img-2.6.18-5-xen-686'' memory = ''96'' root = ''/dev/sda1 ro'' disk = [ ''phy:vg-james/zack-disk,sda1,w'', ''phy:vg-james/zack-swap,sda2,w'' ] name = ''zack'' xen_shell = ''zack'' vif = [ ''mac=00:16:3e:92:7b:c5, bridge=xenbr0'', ''mac=00:16:3e:a6:63:5d, bridge=xenbr1'' ] on_poweroff = ''destroy'' on_reboot = ''restart'' on_crash = ''restart'' And don''t forget to add "post-up ethtool -K <device> tx off" to the interface stanzas in /etc/network/interfaces of the domU:s like this: auto eth0 iface eth0 inet dhcp post-up ethtool -K eth0 tx off Good luck! /Martin Leben _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi, Am Dienstag, 8. April 2008 17:50 schrieb Jeroen Kleijer: [..]> Would such a implementation be feasible or does the dom0 network > interface always have to have an IP stack for the bridging to work?a bridge is layer 2, ip is layer 3. So there''s no problem using a bridge without ip. I''ve a setup where dom0 has two nics bonded, and bond0 is part of the bridge for the domUs. And neither has an ip in dom0, only the vif in the domUs have ips. -- greetings eMHa _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
What you''ve described here, is what I''m working on right now. I''ve setup my dom0 with two nics bonded as bond0. I''m going to be running say 3 or 4 vm''s on this host that will each have their own static ip''s. I just haven''t figured out how to make it all work as far as the vm''s networking is concerned. Do you recall the steps that you performed to make your setup work? Thanks, Mike On Tue, Apr 8, 2008 at 3:42 PM, Markus Hochholdinger <Markus@hochholdinger.net> wrote:> Hi, > > Am Dienstag, 8. April 2008 17:50 schrieb Jeroen Kleijer: > [..] >> Would such a implementation be feasible or does the dom0 network >> interface always have to have an IP stack for the bridging to work? > > a bridge is layer 2, ip is layer 3. So there''s no problem using a bridge > without ip. > > I''ve a setup where dom0 has two nics bonded, and bond0 is part of the bridge > for the domUs. And neither has an ip in dom0, only the vif in the domUs have > ips. > > > -- > greetings > > eMHa > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi, Am Mittwoch, 18. Juni 2008 23:56 schrieb Michael Kershaw:> What you''ve described here, is what I''m working on right now. I''ve > setup my dom0 with two nics bonded as bond0. I''m going to be running > say 3 or 4 vm''s on this host that will each have their own static > ip''s. I just haven''t figured out how to make it all work as far as > the vm''s networking is concerned. Do you recall the steps that you > performed to make your setup work?yes. First, you need to make the bond interface as active passive, otherwise it will conflict with the bridge: modprobe bonding mode=1 miimon=100 I put this in /etc/modules: bonding mode=1 miimon=100 On my Debian machines I setup the network with /etc/network/interfaces: auto bond0 iface bond0 inet manual pre-up ifconfig bond0 up pre-up ifenslave bond0 eth2 eth3 pre-down ifenslave -d bond0 eth2 eth3 As you see I use eth2 and eth3 as network interfaces for bonding. I also use vlans on top of the bonding, so i setup my xenbr0 in /etc/network/interfaces for vlan 2 as follows: auto xenbr0 iface xenbr0 inet manual vlan-raw-device bond0 bridge_ports bond0.2 bridge_fd 0 bridge_stp off post-up ip link set xenbr0 arp off post-up ip link set xenbr0 multicast off Other bridges with vlans can be made in /etc/network/interfaces. Here a example with vlan 3: auto xenbr3 iface xenbr3 inet manual vlan-raw-device bond0 bridge_ports bond0.3 bridge_fd 0 bridge_stp off post-up ip link set xenbr3 arp off post-up ip link set xenbr3 multicast off If you don''t want to (or can''t) use vlans you can use: auto xenbr0 iface xenbr0 inet manual bridge_ports bond0 bridge_fd 0 bridge_stp off post-up ip link set xenbr0 arp off post-up ip link set xenbr0 multicast off For the bridge I use no spanning tree protocol and my forward delay is 0. Because there are no ip adressses on my bridge I don''t need arp and multicast on this interface. With this setup i can use xenbr0 or xenbr3 as bridge targets in my domU xen configurations. Be sure that no xen script is trying to make any bridge for you! For this I set (network-script network-dummy) in /etc/xen/xend-config.sxp . On the other side of your real network interfaces you need a router with a ip. This ip will be your default gateway for the domUs. In my setup i have a Firewall-Cluster for this, otherwise bonding will be really needless. PS: I''m using Debian 4.0 for this setup without any specials. -- greetings eMHa _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users