Hi all, I have the following Xen config and I was wondering what you''d recomend as a firewall setup. Dom0 - 198.175.98.50 Dom1 - 198.175.98.63 (Bridged) Dom2 - 198.175.98.62 (Bridged) Dom3 - 198.175.98.61 (Bridged) Dom4 - 198.175.45.12 (Bridged) I''m wondering how to setup a firewall for Dom0 when all traffic for the DomUs go ''through'' it. How should the firewall take this into account? On a side note, I read a more secure way was to have the ''primary'' Dom to be a DomU firewall to avoid exploits to the Dom0 but I can''t find proper documentation for such a setup. Can someone point me in the right direction please? Many thanks. -- eco _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Mon, Dec 15, 2008 at 12:21 AM, <lists@precognet.com> wrote:> Hi all, > > I have the following Xen config and I was wondering what you''d recomend as > a firewall setup. > > > Dom0 - 198.175.98.50 > Dom1 - 198.175.98.63 (Bridged) > Dom2 - 198.175.98.62 (Bridged) > Dom3 - 198.175.98.61 (Bridged) > Dom4 - 198.175.45.12 (Bridged) > > I''m wondering how to setup a firewall for Dom0 when all traffic for the > DomUs go ''through'' it. How should the firewall take this into account? > > On a side note, I read a more secure way was to have the ''primary'' Dom to > be a DomU firewall to avoid exploits to the Dom0 but I can''t find proper > documentation for such a setup. Can someone point me in the right direction > please? > > Many thanks. > -- > eco > >There are multiple ways of accomplishing your goal but I''ll tell you what I do. Put virtually no software on Dom0 outside of the xen stuff and a firewall/IDS Dom0 has two interfaces eth0 (physical network connection) dummy0 To set up dummy0 /etc/sysconfig/network-scripts/ifcfg-dummy0 DEVICE=dummy0 BOOTPROTO=none ONBOOT=yes USERCTL=no IPV6INIT=no PEERDNS=yes TYPE=Ethernet NETMASK=255.255.0.0 IPADDR=192.168.1.254 ARP=yes Create an internal bridge called br0 for all DomUs - with libvirt (CentOS 5.2) edit /etc/libvirt/qemu/networks/autostart/default.xml Add dummy0 to bridge br0 xend-config.sxp scripts (network-script ''network-virtual bridge="br0" bridgeip="192.168.1.1/24" brnet="192.168.1.0/24"'') (vif-script vif-bridge) This way DomUs can communicate with Dummy0 on Dom0. The only way for traffic to flow from the bridge to the outside world is through Dom0''s firewall. Dom0 firewall #iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o dummy0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i dummy0 -o eth0 -j ACCEPT ### Port Forwarding ### #iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 10010 -j DNAT --to 192.168.1.10:22 #iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 10011 -j DNAT --to 192.168.1.11:22 #iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 10012 -j DNAT --to 192.168.1.12:22 This will get you started. It allows any returning traffic from an internal connection (DomU) to be reconnected to the DomU. It also forwards port 10010 from the outside to the domU with the ip address of 192.168.1.10 port 22 etc.. I might have forgotten a few things but I think this will get you going. You can add to this firewall to allow more traffic through or limit traffic out etc... Standard firewall rules apply here. I''ll be writing a real in-depth tutorial for my site grantmcwilliams.comsome day in the future. If anyone has ideas to make this more streamlined I''m all ears. Grant McWilliams Some people, when confronted with a problem, think "I know, I''ll use Windows." Now they have two problems. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
lists@precognet.com wrote:>I have the following Xen config and I was wondering what you''d >recomend as a firewall setup. > > >Dom0 - 198.175.98.50 >Dom1 - 198.175.98.63 (Bridged) >Dom2 - 198.175.98.62 (Bridged) >Dom3 - 198.175.98.61 (Bridged) >Dom4 - 198.175.45.12 (Bridged) > >I''m wondering how to setup a firewall for Dom0 when all traffic for >the DomUs go ''through'' it. How should the firewall take this into >account? > >On a side note, I read a more secure way was to have the ''primary'' >Dom to be a DomU firewall to avoid exploits to the Dom0 but I can''t >find proper documentation for such a setup. Can someone point me in >the right direction please?I''ll do the second one first as a) it''s shorter, and b) if I do it at the end it''s likely to get missed ! I think what you are referring to is the practice of making a DomU have the only connection to the outside, and for it to run as a two port firewall. You can either configure a second bridge to get the external traffic to the DomU, or hide the PCI device and make it a native hardware device available only to the DomU - the latter is what I have at home, and also I believe what Tom Eastep (author of the Shorewall package) runs for his Shorewall hosting. For a firewall, I can recommend Shorewall (http://www.shorewall.net) which I believe takes a good position between low level (native iptables) and too restrictive. Now, to the first bit : I have another server that is setup something similar to your setup. I hand crafted an init file to configure a few iptables rules to protect Dom0 - it''s pointless trying to run a full firewall as a) I''m not sure anyone really understands networking fully under Xen, and b) the network keeps changing when guests start or stop. My init script is (it actually has more as the machine has multiple networks, but I''ve ripped out all but one) : #! /bin/sh ### BEGIN INIT INFO # Provides: firewall # Required-Start: $networking # Required-Stop: $networking # Should-Start: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Firewall - home grown bash/iptables script # Description: Script to build basic firewall directly with /sbin/iptables ### END INIT INFO set -e . /lib/lsb/init-functions ExtAdd=a.b.c.d case "$1" in start) log_daemon_msg "Starting firewall" # Clear /sbin/iptables first /sbin/iptables -F # Set traffic not addressed to us to no-track # t:raw c:prerouting /sbin/iptables -t raw -A PREROUTING --in-interface ethext --dst ! $ExtAdd -j NOTRACK # filter:inbound # t:filter c:inbound-ext /sbin/iptables -t filter --new inbound-ext # allow established streams (ie outbound initiated connections) /sbin/iptables -t filter -A inbound-ext -m state --state RELATED,ESTABLISHED -j ACCEPT # allow icmp /sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -p icmp --icmp-type 8 -j ACCEPT /sbin/iptables -t filter -A inbound-ext -p icmp --icmp-type 8 -m limit --limit 6/minute --limit-burst 10 -j ACCEPT /sbin/iptables -t filter -A inbound-ext -p icmp --icmp-type 8 -j DROP /sbin/iptables -t filter -A inbound-ext -p icmp -j ACCEPT # allow ssh /sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -p tcp --dport 22 -j LOG --log-level info --log-prefix "FW net2fw" /sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -p tcp --dport 22 -j ACCEPT # drop everything else /sbin/iptables -t filter -A inbound-ext -j DROP # filter: send inbound packets to us to chain inbound-[ext|bak|int] # t:filter c:INPUT # policy allow /sbin/iptables -t filter -A INPUT --dst $ExtAdd -j inbound-ext log_end_msg 0 ;; stop) log_daemon_msg "Stopping firewall" /sbin/iptables -F /sbin/iptables -F -t raw /sbin/iptables -X inbound-ext log_end_msg 0 ;; *) echo "Usage: /etc/init.d/firewall {start|stop}" exit 1 esac exit 0 Now, what I believe this does is : Not track any traffic coming in on the external interface that isn''t addressed to us. Permits certain inbound traffic. Blocks everything else. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > I have another server that is setup something similar to your setup. I hand > crafted an init file to configure a few iptables rules to protect Dom0 - > it''s pointless trying to run a full firewall as a) I''m not sure anyone > really understands networking fully under Xen, and b) the network keeps > changing when guests start or stop. > > > > -- > Simon Hobson > >The one thing that I''d like to say is that if all your DomUs have static IPs you can firewall them just like a firewall protecting any other NATed private network. If they''re dynamic you''re got some issues. Grant McWilliams Some people, when confronted with a problem, think "I know, I''ll use Windows." Now they have two problems. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
In case it is relevant, I simply allow all traffic to traverse the forwarding chain when it is headed to a bridged destination. I then simply run a firewall on dom0 and each domU as if they were all individual machines. This seems to me like the way to go short of doing something more drastic with hardware isolation, but as a lot of people prefer to have much more complex firewall setups, it is certainly likely that at least some of them have good reason. Dustin _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Mon, Dec 15, 2008 at 1:05 PM, Dustin Henning <Dustin.Henning@prd-inc.com>wrote:> In case it is relevant, I simply allow all traffic to traverse the > forwarding chain when it is headed to a bridged destination. I then simply > run a firewall on dom0 and each domU as if they were all individual > machines. This seems to me like the way to go short of doing something more > drastic with hardware isolation, but as a lot of people prefer to have much > more complex firewall setups, it is certainly likely that at least some of > them have good reason. > Dustin > >Keep in mind that this method means you''ll be managing multiple firewalls. In my case it would be about 30 firewalls total. By separating the internal private network from the real network you can run with one firewall. However, having said that you can only forward each outside port to one port on one domU. This means if you have multiple web servers you can''t forward the external port 80 to more than one internal possibly making it messy for external clients accessing the virtual machines by requiring them to access services on non-standard ports. In my setup this is fine because I only forward one port anyway (ssh) to allow remote logins. In summary: To simulate a traditional open network where all virtual hosts (and all ports) are accessible by all external clients you will want to just make sure the peth0 physical network device is added to the bridge that Xen uses for domUs. This will require you to have firewalls on all DomUs in addition to a firewall on Dom0 as Dustin has outlined. To similate a private network where all traffic is routed through a firewall you''ll want to use my original suggestion or similar. This entails setting up eth0 on Dom0 as a connection to the outside world and dummy0 as a connection to the Xen bridge where the DomUs reside. This will require you to configure a firewall on Dom0 that will filter and pass traffic from an externally accessible port to the desired port of the DomU in question. Grant McWilliams Some people, when confronted with a problem, think "I know, I''ll use Windows." Now they have two problems. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On December 15, 2008 1:50 pm Grant McWilliams wrote:> On Mon, Dec 15, 2008 at 1:05 PM, Dustin Henning > > <Dustin.Henning@prd-inc.com>wrote: > > In case it is relevant, I simply allow all traffic to traverse > > the forwarding chain when it is headed to a bridged destination. I > > then simply run a firewall on dom0 and each domU as if they were all > > individual machines. This seems to me like the way to go short of > > doing something more drastic with hardware isolation, but as a lot of > > people prefer to have much more complex firewall setups, it is > > certainly likely that at least some of them have good reason. > > Dustin > > Keep in mind that this method means you''ll be managing multiple > firewalls. In my case it would be about 30 firewalls total. By separating > the internal private network from the real network you can run with one > firewall. However, having said that you can only forward each outside > port to one port on one domU. This means if you have multiple web servers > you can''t forward the external port 80 to more than one internal possibly > making it messy for external clients accessing the virtual machines by > requiring them to access services on non-standard ports. In my setup this > is fine because I only forward one port anyway (ssh) to allow remote > logins.You can always use 1:1 NAT between a public IP and a private IP, for each domU. There''s nothing that forces you to use a single IP for the firewalled interface. -- Freddie fjwcash@gmail.com _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
i do firewalling in this way: the external nic is attached to dom0 and does have multiple ip-adresses (which are on the public internet). the xenbr0 does have the ip-adress 10.0.0.1 and my domUs are on that 10.0.0.x-Network. All necesary services are firewall''ed in the dom0 and their necesary ports are forwarded using NAT. so i''m able to run multiple webservers (each on its own ip and with port 80), a dns-server, a mailserver and a windows-machine each in a properly firewalled domU. there''s nothing special about that. but please note, that some services might not work using NATted transfers. this is just a suggestion, please proof me wrong if there are any. ----- Ursprüngliche Mail ---- Von: Freddie Cash <fjwcash@gmail.com> An: xen-users@lists.xensource.com Gesendet: Montag, den 15. Dezember 2008, 22:56:06 Uhr Betreff: Re: [Xen-users] Firewalling Xen? On December 15, 2008 1:50 pm Grant McWilliams wrote:> On Mon, Dec 15, 2008 at 1:05 PM, Dustin Henning > > <Dustin.Henning@prd-inc.com>wrote: > > In case it is relevant, I simply allow all traffic to traverse > > the forwarding chain when it is headed to a bridged destination. I > > then simply run a firewall on dom0 and each domU as if they were all > > individual machines. This seems to me like the way to go short of > > doing something more drastic with hardware isolation, but as a lot of > > people prefer to have much more complex firewall setups, it is > > certainly likely that at least some of them have good reason. > > Dustin > > Keep in mind that this method means you''ll be managing multiple > firewalls. In my case it would be about 30 firewalls total. By separating > the internal private network from the real network you can run with one > firewall. However, having said that you can only forward each outside > port to one port on one domU. This means if you have multiple web servers > you can''t forward the external port 80 to more than one internal possibly > making it messy for external clients accessing the virtual machines by > requiring them to access services on non-standard ports.. In my setup this > is fine because I only forward one port anyway (ssh) to allow remote > logins.You can always use 1:1 NAT between a public IP and a private IP, for each domU. There''s nothing that forces you to use a single IP for the firewalled interface. -- Freddie fjwcash@gmail.com _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource..com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > > > You can always use 1:1 NAT between a public IP and a private IP, for each > domU. There''s nothing that forces you to use a single IP for the > firewalled > interface. > > -- > Freddie > fjwcash@gmail.com > > _______________________________________________ >As long as you have more than one Public IP of course... Grant McWilliams Some people, when confronted with a problem, think "I know, I''ll use Windows." Now they have two problems. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> Hi all, > > I have the following Xen config and I was wondering what you''drecomend as> a firewall setup. > > Dom0 - 198.175.98.50 > Dom1 - 198.175.98.63 (Bridged) > Dom2 - 198.175.98.62 (Bridged) > Dom3 - 198.175.98.61 (Bridged) > Dom4 - 198.175.45.12 (Bridged) > > I''m wondering how to setup a firewall for Dom0 when all traffic forthe> DomUs go ''through'' it. How should the firewall take this intoaccount?> > On a side note, I read a more secure way was to have the ''primary'' Domto> be a DomU firewall to avoid exploits to the Dom0 but I can''t findproper> documentation for such a setup. Can someone point me in the right > direction please? >On my server I have the firewall all on Dom0, despite some recommendations to the contrary. That way if something goes wrong after an upgrade, or if I want to boot into a non-xen kernel, I still have connectivity. The machine is at a colo but I still have console access (HP iLO2), so I could move the firewall and still be able to get to it in an emergency. It seems easier this way though. Do you want to firewall the DomU''s from each other? Or just from the internet? If the former then you''ll need to have iptables interact with the bridging code, which always gives me a headache. If the latter, then I would try and arrange it so that the physical Ethernet device is on Dom0 on it''s own IP address and not bridged, and then route onto a bridge which isn''t connected to a physical network adapter, and put the firewall rules on Dom0 between the physical network and the bridged network. You might need some more IP addresses though. If you have lots of IP addresses already, you could split your network up into a bunch of /30''s and route between them... James _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
lists@precognet.com wrote:> I''m wondering how to setup a firewall for Dom0 when all traffic for the DomUs go ''through'' it.Hi, as we do commercial VPS hosting with xen and our own open source management interface, we have designed a small anti-DoS firewall to setup in your dom0. It does nothing spectacular, but it helps against ssh dictionary attacks, and other very common flood types that might hurt your server: ping, syn, etc. http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen.init;h=5e4df2e46e3a872a2d73ada77e24e8bb242f8b6b;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa I''d be happy to have contributions in this small script that is by the way very simple to extend (just add few functions for yourself and share, then anybody can enable/disable them with ease. Thomas P.S: For further discovery of the projects see here the bellow URLs: http://packages.debian.org/lenny/dtc http://packages.debian.org/lenny/dtc-xen http://www.gplhost.com/software-dtc.html http://www.gplhost.com/software-dtc-xen.html _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Grant McWilliams Some people, when confronted with a problem, think "I know, I''ll use Windows." Now they have two problems. On Tue, Dec 16, 2008 at 9:01 AM, Thomas Goirand <thomas@goirand.fr> wrote:> lists@precognet.com wrote: > > I''m wondering how to setup a firewall for Dom0 when all traffic for the > DomUs go ''through'' it. > > Hi, > > as we do commercial VPS hosting with xen and our own open source > management interface, we have designed a small anti-DoS firewall to > setup in your dom0. It does nothing spectacular, but it helps against > ssh dictionary attacks, and other very common flood types that might > hurt your server: ping, syn, etc. > > > http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen.init;h=5e4df2e46e3a872a2d73ada77e24e8bb242f8b6b;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa > > I''d be happy to have contributions in this small script that is by the > way very simple to extend (just add few functions for yourself and > share, then anybody can enable/disable them with ease. > > Thomas > >Don''t you mean this ;-) http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen-firewall.init;h=16139921d6efd6fc2e407f7d80b11fae97befdf9;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa A bit off topic but can dtc-xen control it''s users in a way that you can assign an admin per VM? What I''m looking for is to have each student manage his and only his domU. Grant McWilliams _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
--- Grant McWilliams <grantmasterflash@gmail.com> wrote:> Grant McWilliams > > Some people, when confronted with a problem, think "I know, I''ll use > Windows." > Now they have two problems. > > > > On Tue, Dec 16, 2008 at 9:01 AM, Thomas Goirand <thomas@goirand.fr> > wrote: > > > lists@precognet.com wrote: > > > I''m wondering how to setup a firewall for Dom0 when all traffic > for the > > DomUs go ''through'' it. > > > > Hi, > > > > as we do commercial VPS hosting with xen and our own open source > > management interface, we have designed a small anti-DoS firewall to > > setup in your dom0. It does nothing spectacular, but it helps > against > > ssh dictionary attacks, and other very common flood types that > might > > hurt your server: ping, syn, etc. > > > > > > >http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen.init;h=5e4df2e46e3a872a2d73ada77e24e8bb242f8b6b;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa> > > > I''d be happy to have contributions in this small script that is by > the > > way very simple to extend (just add few functions for yourself and > > share, then anybody can enable/disable them with ease. > > > > Thomas > > > > > Don''t you mean this ;-) > >http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen-firewall.init;h=16139921d6efd6fc2e407f7d80b11fae97befdf9;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa> > A bit off topic but can dtc-xen control it''s users in a way that you > can > assign an admin per VM? What I''m looking for is to have each student > manage > his and only his domU. > > Grant McWilliamsHi folks, Just came across this thread. The setup of the Xen box here is as follows; DomO - a workstation for remote setup/config DomU DomU1 - mail server for routing (headless) DomU2 - mail server for domain1 (headless) DomU3 - mail server for domain2 (headless) DomU4 - mail server for domain3 (headless) etc. Firewall is only running on domU1. I''m running virtual domains, with all domains pointing at the same public IP (one public IP). All ports on router are forwarded to the local IP of DomU1. Do I need to have firewall installed on each DomU? TIA B.R. Stephen L Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen.init;h=5e4df2e46e3a872a2d73ada77e24e8bb242f8b6b;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa > > I''d be happy to have contributions in this small script that is by the > way very simple to extend (just add few functions for yourself and > share, then anybody can enable/disable them with ease. > > Thomas > > > Don''t you mean this ;-) > > http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen-firewall.init;h=16139921d6efd6fc2e407f7d80b11fae97befdf9;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6faYes, sorry for the confusion!!! :)> A bit off topic but can dtc-xen control it''s users in a way that you can > assign an admin per VM? What I''m looking for is to have each student manage > his and only his domU.Well, it''s a full commercial hosting solution, we have hundreds of customers using it, so of course it supports what you are asking for, and it''s a fully automated solution. That''s the goal yes! Each "virtual admin" user can: - set the RDNS - do xm stop / xm start / xm shutdown / on his VPS (and his VPS only) - do fsck.ext3 -f -y for his partition (if his VPS is shutdown) - reinstall his OS (if his VPS is shutdown), many OS supported either through network setup (yum install or debootstrap) or using images. - see his network, I/O and CPU usage in realtime - see the above, and all the other VPSes on the node (very useful if one customer is abusing and the others want to know) - Do "xm console" by simply doing ssh xenXX@nodeYYY.gplhost.com (so this ssh pass can be changed using DTC, or a ssh key can be used to...) - Set the CD to boot on, and manage the VNC console (HVM guests only) - Select to use the NetBSD or NetBSD-INSTALL kernel (NetBSD guests only) - renew his VPS for the period(s) defined in the hosting package Each admin can have one or more VPS. Note that dtc-xen is NOT an interface, just a SOAP service over HTTPS with auth, on which DTC connects to give orders to or to collect data from your dom0. Thomas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Tue, Dec 16, 2008 at 10:39 PM, Thomas Goirand <thomas@goirand.fr> wrote:> > > http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen.init;h=5e4df2e46e3a872a2d73ada77e24e8bb242f8b6b;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa > > > > I''d be happy to have contributions in this small script that is by > the > > way very simple to extend (just add few functions for yourself and > > share, then anybody can enable/disable them with ease. > > > > Thomas > > > > > > Don''t you mean this ;-) > > > > > http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen-firewall.init;h=16139921d6efd6fc2e407f7d80b11fae97befdf9;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa > > Yes, sorry for the confusion!!! :) > > > A bit off topic but can dtc-xen control it''s users in a way that you can > > assign an admin per VM? What I''m looking for is to have each student > manage > > his and only his domU. > > Well, it''s a full commercial hosting solution, we have hundreds of > customers using it, so of course it supports what you are asking for, > and it''s a fully automated solution. > > That''s the goal yes! Each "virtual admin" user can: > - set the RDNS > - do xm stop / xm start / xm shutdown / on his VPS (and his VPS only) > - do fsck.ext3 -f -y for his partition (if his VPS is shutdown) > - reinstall his OS (if his VPS is shutdown), many OS supported either > through network setup (yum install or debootstrap) or using images. > - see his network, I/O and CPU usage in realtime > - see the above, and all the other VPSes on the node (very useful if one > customer is abusing and the others want to know) > - Do "xm console" by simply doing ssh xenXX@nodeYYY.gplhost.com (so this > ssh pass can be changed using DTC, or a ssh key can be used to...) > - Set the CD to boot on, and manage the VNC console (HVM guests only) > - Select to use the NetBSD or NetBSD-INSTALL kernel (NetBSD guests only) > - renew his VPS for the period(s) defined in the hosting package > > Each admin can have one or more VPS. > > Note that dtc-xen is NOT an interface, just a SOAP service over HTTPS > with auth, on which DTC connects to give orders to or to collect data > from your dom0. > > Thomas >Thanks for the rundown. Most of the solutions I''ve found have been overly complex. I''ll look into dtc. How hard is it to create and delete accounts with VPS via automated scripts? I''d like to have a script parse a CSV file each quarter and add the appropriate users and link to VMs. Grant McWilliams _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi! I set up my servers this way and prefer it as most flexible solution for me. Dom0 (no firewall, firewalled externaly by ISP''s firewall) - independent host machine, no special setup for easy replacement if fails DomU1 (Dedicated shorewall firewall machine doing nat, load balancing, proxying etc. for another DomU''s in virtual LAN) DomU''sX (all inside LAN, behind DomU1 firewall) DomU''sY (proxyarped in DMZ zone, looks like standalone machines from internet) So everything is bridged (NET,LAN,DMZ bridges) Very flexsible, I can replace any component and my DomU''s are not binded to Dom0. I can move DomUs easily whithin my Dom0us. andris Stephen Liu wrote:> --- Grant McWilliams <grantmasterflash@gmail.com> wrote: > > >> Grant McWilliams >> >> Some people, when confronted with a problem, think "I know, I''ll use >> Windows." >> Now they have two problems. >> >> >> >> On Tue, Dec 16, 2008 at 9:01 AM, Thomas Goirand <thomas@goirand.fr> >> wrote: >> >> >>> lists@precognet.com wrote: >>> >>>> I''m wondering how to setup a firewall for Dom0 when all traffic >>>> >> for the >> >>> DomUs go ''through'' it. >>> >>> Hi, >>> >>> as we do commercial VPS hosting with xen and our own open source >>> management interface, we have designed a small anti-DoS firewall to >>> setup in your dom0. It does nothing spectacular, but it helps >>> >> against >> >>> ssh dictionary attacks, and other very common flood types that >>> >> might >> >>> hurt your server: ping, syn, etc. >>> >>> >>> >>> > http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen.init;h=5e4df2e46e3a872a2d73ada77e24e8bb242f8b6b;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa > >>> I''d be happy to have contributions in this small script that is by >>> >> the >> >>> way very simple to extend (just add few functions for yourself and >>> share, then anybody can enable/disable them with ease. >>> >>> Thomas >>> >>> >>> >> Don''t you mean this ;-) >> >> >> > http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen-firewall.init;h=16139921d6efd6fc2e407f7d80b11fae97befdf9;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa > >> A bit off topic but can dtc-xen control it''s users in a way that you >> can >> assign an admin per VM? What I''m looking for is to have each student >> manage >> his and only his domU. >> >> Grant McWilliams >> > > > Hi folks, > > > Just came across this thread. The setup of the Xen box here is as > follows; > > > DomO - a workstation for remote setup/config DomU > DomU1 - mail server for routing (headless) > DomU2 - mail server for domain1 (headless) > DomU3 - mail server for domain2 (headless) > DomU4 - mail server for domain3 (headless) > etc. > > > Firewall is only running on domU1. I''m running virtual domains, with > all domains pointing at the same public IP (one public IP). All ports > on router are forwarded to the local IP of DomU1. Do I need to have > firewall installed on each DomU? TIA > > > B.R. > Stephen L > > Send instant messages to your online friends http://uk.messenger.yahoo.com > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Thank you *all* for your help and advice. I''ll get cracking right away. Your help is much apreciated. Thanks. -- eco ----- lists@precognet.com wrote:> Hi all, > > I have the following Xen config and I was wondering what you''d > recomend as a firewall setup. > > > Dom0 - 198.175.98.50 > Dom1 - 198.175.98.63 (Bridged) > Dom2 - 198.175.98.62 (Bridged) > Dom3 - 198.175.98.61 (Bridged) > Dom4 - 198.175.45.12 (Bridged) > > I''m wondering how to setup a firewall for Dom0 when all traffic for > the DomUs go ''through'' it. How should the firewall take this into > account? > > On a side note, I read a more secure way was to have the ''primary'' Dom > to be a DomU firewall to avoid exploits to the Dom0 but I can''t find > proper documentation for such a setup. Can someone point me in the > right direction please? > > Many thanks. > -- > eco > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wed, Dec 17, 2008 at 12:06 AM, Andris <andris@lemon.lv> wrote:> Hi! > > I set up my servers this way and prefer it as most flexible solution for > me. > > Dom0 (no firewall, firewalled externaly by ISP''s firewall) - independent > host machine, no special setup for easy replacement if fails > DomU1 (Dedicated shorewall firewall machine doing nat, load balancing, > proxying etc. for another DomU''s in virtual LAN) > DomU''sX (all inside LAN, behind DomU1 firewall) > DomU''sY (proxyarped in DMZ zone, looks like standalone machines from > internet) > > So everything is bridged (NET,LAN,DMZ bridges) > > Very flexsible, I can replace any component and my DomU''s are not binded to > Dom0. I can move DomUs easily whithin my Dom0us. > > > > andris >So you have the DomU1''s IP address exposed to the outside and then have one of it''s network interfaces on the internal private networks bridge? I''d assume this means that the DomU1''s other network interface would be added to the eth0 bridge that peth0 resides on? I''m not sure I like the idea of Dom0 sitting there unprotected. Let''s not forget that if another machine anywhere on the real network were exploited the Dom0 is a sitting duck. The consequences of Dom0 falling are huge.. You could just keep it that same way and put a firewall on Dom0 anyway because what do you really want to allow in since the router is really DomU1? I was thinking though of having the traffic come in eth0 and have Dom0''s firewall forward everything to the first DomU which would then do all the real filtering and NAT. I only have one external IP address to use. I''m a bit worried about speed though since I''m filtering everything twice. Grant _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Andris, Thanks for your advice. The setup of your Xen box is quite similar to mine. The whole system is still under testing NOT for production yet.> I set up my servers this way and prefer it as most flexible solution > for me. > > Dom0 (no firewall, firewalled externaly by ISP''s firewall) - > independent > host machine, no special setup for easy replacement if failsFor testing convenience no firewall is running on Dom0. But after testing completed I''ll install firewall on Dom0.> DomU1 (Dedicated shorewall firewall machine doing nat, load > balancing, > proxying etc. for another DomU''s in virtual LAN)Same as here DomU1 is only for routing with shorewall running also doing proxying.> DomU''sX (all inside LAN, behind DomU1 firewall)Also same as here all DomUs are protected behind the firewall of DomU1. The whole system is working nicely on Intranet (local network). My further test is to allow other PCs on Internet to connect the DomUs remotely to fetch mails also via DomU1 by proxying. I don''t run a separate proxy server here. In such case I wonder whether each DomU needs its own firewall? Thanks B.R. Stephen L> DomU''sY (proxyarped in DMZ zone, looks like standalone machines from > internet) > > So everything is bridged (NET,LAN,DMZ bridges) > > Very flexsible, I can replace any component and my DomU''s are not > binded > to Dom0. I can move DomUs easily whithin my Dom0us. > > > > andris > > > Stephen Liu wrote: > > --- Grant McWilliams <grantmasterflash@gmail.com> wrote: > > > > > >> Grant McWilliams > >> > >> Some people, when confronted with a problem, think "I know, I''ll > use > >> Windows." > >> Now they have two problems. > >> > >> > >> > >> On Tue, Dec 16, 2008 at 9:01 AM, Thomas Goirand > <thomas@goirand.fr> > >> wrote: > >> > >> > >>> lists@precognet.com wrote: > >>> > >>>> I''m wondering how to setup a firewall for Dom0 when all traffic > >>>> > >> for the > >> > >>> DomUs go ''through'' it. > >>> > >>> Hi, > >>> > >>> as we do commercial VPS hosting with xen and our own open source > >>> management interface, we have designed a small anti-DoS firewall > to > >>> setup in your dom0. It does nothing spectacular, but it helps > >>> > >> against > >> > >>> ssh dictionary attacks, and other very common flood types that > >>> > >> might > >> > >>> hurt your server: ping, syn, etc. > >>> > >>> > >>> > >>> > > >http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen.init;h=5e4df2e46e3a872a2d73ada77e24e8bb242f8b6b;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa> > > >>> I''d be happy to have contributions in this small script that is > by > >>> > >> the > >> > >>> way very simple to extend (just add few functions for yourself > and > >>> share, then anybody can enable/disable them with ease. > >>> > >>> Thomas > >>> > >>> > >>> > >> Don''t you mean this ;-) > >> > >> > >> > > >http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen-firewall.init;h=16139921d6efd6fc2e407f7d80b11fae97befdf9;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa> > > >> A bit off topic but can dtc-xen control it''s users in a way that > you > >> can > >> assign an admin per VM? What I''m looking for is to have each > student > >> manage > >> his and only his domU. > >> > >> Grant McWilliams > >> > > > > > > Hi folks, > > > > > > Just came across this thread. The setup of the Xen box here is as > > follows; > > > > > > DomO - a workstation for remote setup/config DomU > > DomU1 - mail server for routing (headless) > > DomU2 - mail server for domain1 (headless) > > DomU3 - mail server for domain2 (headless) > > DomU4 - mail server for domain3 (headless) > > etc. > > > > > > Firewall is only running on domU1. I''m running virtual domains, > with > > all domains pointing at the same public IP (one public IP). All > ports > > on router are forwarded to the local IP of DomU1. Do I need to > have > > firewall installed on each DomU? TIA > > > > > > B.R. > > Stephen L > > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com > > > > _______________________________________________ > > Xen-users mailing list > > Xen-users@lists.xensource.com > > http://lists.xensource.com/xen-users > > > > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Grant McWilliams wrote:> Thanks for the rundown. Most of the solutions I''ve found have been > overly complex. I''ll look into dtc. How hard is it to create and delete > accounts with VPS via automated scripts? I''d like to have a script parse > a CSV file each quarter and add the appropriate users and link to > VMs. > > Grant McWilliamsQuite easy. All you can do with the panel, you can do it in a script. Somebody wrote a client for doing this, it''s in our forums. Thomas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users