Thomas Jensen
2009-Jul-27 20:02 UTC
[Xen-users] Network Interface Problems for DomU Firewall
I am attempting to setup a firewall in a DomU. The firewall program I eventually want to run is Shorewall. Both my Dom0 and DomU are Debian Lenny 64 bit systems. The Dom0 has four physical network interfaces installed. Currently, one of the NICs is hidden using the pciback.hide command in the /boot/grub/menu.lst file. Similarly, the hidden NIC is passed to the DomU using the pci = [''device:address.0''] line in the DomU configuration file. When I modify the DomU configuration file only to include the pci directive without an additional vif line, the networking works as expected in the DomU. All of the networking settings are done in the /etc/network/interfaces file within the DomU. I want to run a three interface firewall using Shorewall. The physical NIC (eth0) will be used on the external side. I want to add two virtual interfaces to the DomU for use as a DMZ interface (eth2) and private LAN interface (eth1). Therefore, I returned to the DomU configuration file and added a vif line containing only the MAC address and Dom0 bridge. No IP address is listed within the vif line in the DomU configuration file. When starting the DomU, networking no longer works as expected. Examining the results of ifconfig, I see that the DomU has assigned the NICs differently than I would expect. Examining the MAC addresses, the passthrough NIC is now assigned as eth1 rather than eth0. In a typical installation, I would edit /etc/udev/rules.d/70-persistent-net.rules to manually assign the netdev names based on MAC address. However, this file doesn''t exit in my newly created Debian Lenny DomU. Can I simply create the file? Does this file not exist due to some underlying Xen issue? How should I rectify this problem? Additional sanitized Info: server# xm info host : server.example.com release : 2.6.26-1-xen-amd64 version : #1 SMP Fri Mar 13 21:39:38 UTC 2009 machine : x86_64 nr_cpus : 4 nr_nodes : 1 cores_per_socket : 1 threads_per_core : 2 cpu_mhz : 2992 hw_caps : bfebfbff:20100800:00000000:00000180:0000641d total_memory : 4030 free_memory : 0 node_to_cpu : node0:0-3 xen_major : 3 xen_minor : 2 xen_extra : -1 xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p xen_scheduler : credit xen_pagesize : 4096 platform_params : virt_start=0xffff800000000000 xen_changeset : unavailable cc_compiler : gcc version 4.3.1 (Debian 4.3.1-2) cc_compile_by : waldi cc_compile_domain : debian.org cc_compile_date : Sat Jun 28 09:32:18 UTC 2008 xend_config_format : 4 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Peter Müller
2009-Jul-28 06:27 UTC
Re: [Xen-users] Network Interface Problems for DomU Firewall
Hi Thomas, i had similar problems with a hidden NIC in my Asterisk DomU. When i inserted MAC, IP or a Bridge in the vif line, i sometimes got 2 interfaces in the DomU and from time to time the DomU crashed without any usable error in my logfiles. I solved (it''s not really a solution, more a workaround) the problem, with an empty vif line (vif = [ '''']), and renamed the interface which had the name eth1 too with ip link set eth1 name eth0 This worked in my case, you should try this, maybe works for you too. Greetings Peter Thomas Jensen schrieb:> I am attempting to setup a firewall in a DomU. The firewall program I > eventually want to run is Shorewall. > > Both my Dom0 and DomU are Debian Lenny 64 bit systems. The Dom0 has > four physical network interfaces installed. Currently, one of the > NICs is hidden using the pciback.hide command in the > /boot/grub/menu.lst file. Similarly, the hidden NIC is passed to the > DomU using the pci = [''device:address.0''] line in the DomU > configuration file. > > When I modify the DomU configuration file only to include the pci > directive without an additional vif line, the networking works as > expected in the DomU. All of the networking settings are done in the > /etc/network/interfaces file within the DomU. > > I want to run a three interface firewall using Shorewall. The > physical NIC (eth0) will be used on the external side. I want to add > two virtual interfaces to the DomU for use as a DMZ interface > (eth2) and private LAN interface (eth1). > > Therefore, I returned to the DomU configuration file and added a vif > line containing only the MAC address and Dom0 bridge. No IP address > is listed within the vif line in the DomU configuration file. > > When starting the DomU, networking no longer works as expected. > Examining the results of ifconfig, I see that the DomU has assigned > the NICs differently than I would expect. Examining the MAC > addresses, the passthrough NIC is now assigned as eth1 rather than eth0. > > In a typical installation, I would edit > /etc/udev/rules.d/70-persistent-net.rules to manually assign the > netdev names based on MAC address. However, this file doesn''t exit in > my newly created Debian Lenny DomU. > > Can I simply create the file? Does this file not exist due to some > underlying Xen issue? How should I rectify this problem? > > Additional sanitized Info: > server# xm info > host : server.example.com > release : 2.6.26-1-xen-amd64 > version : #1 SMP Fri Mar 13 21:39:38 UTC 2009 > machine : x86_64 > nr_cpus : 4 > nr_nodes : 1 > cores_per_socket : 1 > threads_per_core : 2 > cpu_mhz : 2992 > hw_caps : bfebfbff:20100800:00000000:00000180:0000641d > total_memory : 4030 > free_memory : 0 > node_to_cpu : node0:0-3 > xen_major : 3 > xen_minor : 2 > xen_extra : -1 > xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p > xen_scheduler : credit > xen_pagesize : 4096 > platform_params : virt_start=0xffff800000000000 > xen_changeset : unavailable > cc_compiler : gcc version 4.3.1 (Debian 4.3.1-2) > cc_compile_by : waldi > cc_compile_domain : debian.org > cc_compile_date : Sat Jun 28 09:32:18 UTC 2008 > xend_config_format : 4 > > > ------------------------------------------------------------------------ > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Thomas Jensen
2009-Jul-28 22:24 UTC
RE: [Xen-users] Network Interface Problems for DomU Firewall
Thanks for the response. I apologize for the top post. What is appropriate etiquette when responding to a top posted reply? I changed the DomU configuration file to use the vif=[''''] line. The DomU started fine. I checked the results of ifconfig after the initial boot and the interfaces were still opposite of what they should be (i.e. eth1 should be eth0, eth0 should be eth1). When I tried the command ''ip link set eth1 name eth0'', I get the result ''RTNETLINK answers: File exists''. Before trying this suggestion, I tried a few other things after my original post. I tried adding the file /etc/udev/rules.d/70-persistent-net.rules and modified it to include entries for the two MAC addresses; one real as a result of PCI pass through and one virtual. The DomU hung when trying to boot. I did additional research on the parameters that can be passed with the vif line in the DomU configuration file. I found that I can define vifname which appears to address my intention of defining the interface name. So I tried adding the syntax so that my DomU config file had the following line with the exception of the sanitized MAC address: vif = [ ''mac=00:16:XX:XX:XX:XX,vifname=eth1,bridge=eth1'' ] When trying to boot the DomU with the configuration, I received the following error: Error: Device 0 (vif) could not be connected. Hotplug scripts not working. Can someone share what syntax combination or steps I need to follow in order to obtain a DomU with three interfaces; one of which is "real" as a result of PCI pass through and two which are virtual interfaces? _____ From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Peter Müller Sent: Tuesday, July 28, 2009 1:28 AM To: Thomas Jensen Cc: xen-users@lists.xensource.com Subject: Re: [Xen-users] Network Interface Problems for DomU Firewall Hi Thomas, i had similar problems with a hidden NIC in my Asterisk DomU. When i inserted MAC, IP or a Bridge in the vif line, i sometimes got 2 interfaces in the DomU and from time to time the DomU crashed without any usable error in my logfiles. I solved (it''s not really a solution, more a workaround) the problem, with an empty vif line (vif = [ '''']), and renamed the interface which had the name eth1 too with ip link set eth1 name eth0 This worked in my case, you should try this, maybe works for you too. Greetings Peter Thomas Jensen schrieb: I am attempting to setup a firewall in a DomU. The firewall program I eventually want to run is Shorewall. Both my Dom0 and DomU are Debian Lenny 64 bit systems. The Dom0 has four physical network interfaces installed. Currently, one of the NICs is hidden using the pciback.hide command in the /boot/grub/menu.lst file. Similarly, the hidden NIC is passed to the DomU using the pci = [''device:address.0''] line in the DomU configuration file. When I modify the DomU configuration file only to include the pci directive without an additional vif line, the networking works as expected in the DomU. All of the networking settings are done in the /etc/network/interfaces file within the DomU. I want to run a three interface firewall using Shorewall. The physical NIC (eth0) will be used on the external side. I want to add two virtual interfaces to the DomU for use as a DMZ interface (eth2) and private LAN interface (eth1). Therefore, I returned to the DomU configuration file and added a vif line containing only the MAC address and Dom0 bridge. No IP address is listed within the vif line in the DomU configuration file. When starting the DomU, networking no longer works as expected. Examining the results of ifconfig, I see that the DomU has assigned the NICs differently than I would expect. Examining the MAC addresses, the passthrough NIC is now assigned as eth1 rather than eth0. In a typical installation, I would edit /etc/udev/rules.d/70-persistent-net.rules to manually assign the netdev names based on MAC address. However, this file doesn''t exit in my newly created Debian Lenny DomU. Can I simply create the file? Does this file not exist due to some underlying Xen issue? How should I rectify this problem? Additional sanitized Info: server# xm info host : server.example.com release : 2.6.26-1-xen-amd64 version : #1 SMP Fri Mar 13 21:39:38 UTC 2009 machine : x86_64 nr_cpus : 4 nr_nodes : 1 cores_per_socket : 1 threads_per_core : 2 cpu_mhz : 2992 hw_caps : bfebfbff:20100800:00000000:00000180:0000641d total_memory : 4030 free_memory : 0 node_to_cpu : node0:0-3 xen_major : 3 xen_minor : 2 xen_extra : -1 xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p xen_scheduler : credit xen_pagesize : 4096 platform_params : virt_start=0xffff800000000000 xen_changeset : unavailable cc_compiler : gcc version 4.3.1 (Debian 4.3.1-2) cc_compile_by : waldi cc_compile_domain : debian.org cc_compile_date : Sat Jun 28 09:32:18 UTC 2008 xend_config_format : 4 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Thomas Jensen
2009-Jul-30 03:26 UTC
RE: [Xen-users] Network Interface Problems for DomU Firewall
_____ From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Thomas Jensen Sent: Tuesday, July 28, 2009 5:24 PM To: xen-users@lists.xensource.com Subject: RE: [Xen-users] Network Interface Problems for DomU Firewall Thanks for the response. I apologize for the top post. What is appropriate etiquette when responding to a top posted reply? I changed the DomU configuration file to use the vif=[''''] line. The DomU started fine. I checked the results of ifconfig after the initial boot and the interfaces were still opposite of what they should be (i.e. eth1 should be eth0, eth0 should be eth1). When I tried the command ''ip link set eth1 name eth0'', I get the result ''RTNETLINK answers: File exists''. Before trying this suggestion, I tried a few other things after my original post. I tried adding the file /etc/udev/rules.d/70-persistent-net.rules and modified it to include entries for the two MAC addresses; one real as a result of PCI pass through and one virtual. The DomU hung when trying to boot. I did additional research on the parameters that can be passed with the vif line in the DomU configuration file. I found that I can define vifname which appears to address my intention of defining the interface name. So I tried adding the syntax so that my DomU config file had the following line with the exception of the sanitized MAC address: vif = [ ''mac=00:16:XX:XX:XX:XX,vifname=eth1,bridge=eth1'' ] When trying to boot the DomU with the configuration, I received the following error: Error: Device 0 (vif) could not be connected. Hotplug scripts not working. Can someone share what syntax combination or steps I need to follow in order to obtain a DomU with three interfaces; one of which is "real" as a result of PCI pass through and two which are virtual interfaces? _____ From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Peter Müller Sent: Tuesday, July 28, 2009 1:28 AM To: Thomas Jensen Cc: xen-users@lists.xensource.com Subject: Re: [Xen-users] Network Interface Problems for DomU Firewall Hi Thomas, i had similar problems with a hidden NIC in my Asterisk DomU. When i inserted MAC, IP or a Bridge in the vif line, i sometimes got 2 interfaces in the DomU and from time to time the DomU crashed without any usable error in my logfiles. I solved (it''s not really a solution, more a workaround) the problem, with an empty vif line (vif = [ '''']), and renamed the interface which had the name eth1 too with ip link set eth1 name eth0 This worked in my case, you should try this, maybe works for you too. Greetings Peter Thomas Jensen schrieb: I am attempting to setup a firewall in a DomU. The firewall program I eventually want to run is Shorewall. Both my Dom0 and DomU are Debian Lenny 64 bit systems. The Dom0 has four physical network interfaces installed. Currently, one of the NICs is hidden using the pciback.hide command in the /boot/grub/menu.lst file. Similarly, the hidden NIC is passed to the DomU using the pci = [''device:address.0''] line in the DomU configuration file. When I modify the DomU configuration file only to include the pci directive without an additional vif line, the networking works as expected in the DomU. All of the networking settings are done in the /etc/network/interfaces file within the DomU. I want to run a three interface firewall using Shorewall. The physical NIC (eth0) will be used on the external side. I want to add two virtual interfaces to the DomU for use as a DMZ interface (eth2) and private LAN interface (eth1). Therefore, I returned to the DomU configuration file and added a vif line containing only the MAC address and Dom0 bridge. No IP address is listed within the vif line in the DomU configuration file. When starting the DomU, networking no longer works as expected. Examining the results of ifconfig, I see that the DomU has assigned the NICs differently than I would expect. Examining the MAC addresses, the passthrough NIC is now assigned as eth1 rather than eth0. In a typical installation, I would edit /etc/udev/rules.d/70-persistent-net.rules to manually assign the netdev names based on MAC address. However, this file doesn''t exit in my newly created Debian Lenny DomU. Can I simply create the file? Does this file not exist due to some underlying Xen issue? How should I rectify this problem? Additional sanitized Info: server# xm info host : server.example.com release : 2.6.26-1-xen-amd64 version : #1 SMP Fri Mar 13 21:39:38 UTC 2009 machine : x86_64 nr_cpus : 4 nr_nodes : 1 cores_per_socket : 1 threads_per_core : 2 cpu_mhz : 2992 hw_caps : bfebfbff:20100800:00000000:00000180:0000641d total_memory : 4030 free_memory : 0 node_to_cpu : node0:0-3 xen_major : 3 xen_minor : 2 xen_extra : -1 xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p xen_scheduler : credit xen_pagesize : 4096 platform_params : virt_start=0xffff800000000000 xen_changeset : unavailable cc_compiler : gcc version 4.3.1 (Debian 4.3.1-2) cc_compile_by : waldi cc_compile_domain : debian.org cc_compile_date : Sat Jun 28 09:32:18 UTC 2008 xend_config_format : 4 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users Here is some output from /var/log/xen/xen-hotplug.log in the hopes someone might respond with an answer. device eth1 is a bridge device itself; can''t enslave a bridge device to a bridge device. This error message is displayed when I use the vif syntax: vif = [ ''mac=00:16:XX:XX:XX:XX,vifname=eth1,bridge=eth1'' ] My intention is to use the Dom0 bridge eth1 and assign it, presumably using the vifname parameter, as the DomU eth1. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2009-Jul-30 03:40 UTC
Re: [Xen-users] Network Interface Problems for DomU Firewall
On Wed, Jul 29, 2009 at 5:24 AM, Thomas Jensen<tom.jensen@digitaltoolbox-inc.com> wrote:> I changed the DomU configuration file to use the vif=[''''] line.Actually I don''t recommend using empty vif line, as it would assign MAC address dynamically on every boot. You should give it a static MAC.> The DomU > started fine. I checked the results of ifconfig after the initial boot and > the interfaces were still opposite of what they should be (i.e. eth1 should > be eth0, eth0 should be eth1).This would be domU OS issue, not Xen issue. On RHEL/Centos I can have something like HWADDR on /etc/sysconfig/network-scripts/ifcfg-eth0 to bind a device name (eth0, eth1) to a NIC with a particular MAC. Not sure how to do it on Lenny though.> > When I tried the command ''ip link set eth1 name eth0'', I get the result > ''RTNETLINK answers: File exists''.Probably because there''s still another link called eth0 :) Try renaming eth0 to eth-tmp (or something), then rename eth1 to eth0, and eth-tmp to eth1.> I found that I can define vifname > which appears to address my intention of defining the interface name. So I > tried adding the syntax so that my DomU config file had the following line > with the exception of the sanitized MAC address: > > vif = [ ''mac=00:16:XX:XX:XX:XX,vifname=eth1,bridge=eth1'' ] > > When trying to boot the DomU with the configuration, I received the > following error: > > Error: Device 0 (vif) could not be connected. Hotplug scripts not working. >That won''t do you what you want. vifname is the name of the interface on dom0 (the one that''s usually called vifx.y). So (for example) instead of vif1.0 you can have fw-eth0. Note that it''s on dom0, not on domU. In your case it don''t work because there''s already another interface on dom0 called eth1.> Can someone share what syntax combination or steps I need to follow in order > to obtain a DomU with three interfaces; one of which is "real" as a result > of PCI pass through and two which are virtual interfaces?Give the virtual interfaces static MAC, and lookup Debian''s documentation on how to assign a static name to a specific MAC. On a side note, I believe you could also dump PCI passthrough, and simply create another bridge on dom0, using that physical interface, with no IP address (at least this works on RHEL and Ubuntu). That way all interfaces will be virtual (vif), and you can adjust which one is listed first on domU config. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Tom Jensen
2009-Jul-31 18:54 UTC
Re: [Xen-users] Network Interface Problems for DomU Firewall
> On Wed, Jul 29, 2009 at 5:24 AM, Thomas > Jensen<tom.jensen@digitaltoolbox-inc.com> wrote: >> I changed the DomU configuration file to use the vif=[''''] line. > > Actually I don''t recommend using empty vif line, as it would assign > MAC address dynamically on every boot. You should give it a static > MAC. > >> The DomU >> started fine. I checked the results of ifconfig after the initial boot >> and >> the interfaces were still opposite of what they should be (i.e. eth1 >> should >> be eth0, eth0 should be eth1). > > This would be domU OS issue, not Xen issue. On RHEL/Centos I can have > something like HWADDR on /etc/sysconfig/network-scripts/ifcfg-eth0 to > bind a device name (eth0, eth1) to a NIC with a particular MAC. Not > sure how to do it on Lenny though. >I agree that this is a DomU OS issue. On my physical installations of Debian Lenny, there is always a file /etc/udev/rules.d/70-persistent-net.rules where a user can assign interfaces based upon MAC addresses. However, this file does not exist in my DomU Debian Lenny installation. Is this a change that is made in order for the OS to be Xen aware? Otherwise, I have tried to manually create the file, but the DomU hangs when starting.>> >> When I tried the command ''ip link set eth1 name eth0'', I get the result >> ''RTNETLINK answers: File exists''. > > Probably because there''s still another link called eth0 :) Try > renaming eth0 to eth-tmp (or something), then rename eth1 to eth0, and > eth-tmp to eth1. >I can try writing a script that would rename the interfaces as a workaround. But it appears that the "correct" way to do what I would like with Debian Lenny is the udev rules.>> I found that I can define vifname >> which appears to address my intention of defining the interface name. >> So I >> tried adding the syntax so that my DomU config file had the following >> line >> with the exception of the sanitized MAC address: >> >> vif = [ ''mac=00:16:XX:XX:XX:XX,vifname=eth1,bridge=eth1'' ] >> >> When trying to boot the DomU with the configuration, I received the >> following error: >> >> Error: Device 0 (vif) could not be connected. Hotplug scripts not >> working. >> > > That won''t do you what you want. vifname is the name of the interface > on dom0 (the one that''s usually called vifx.y). So (for example) > instead of vif1.0 you can have fw-eth0. Note that it''s on dom0, not on > domU. In your case it don''t work because there''s already another > interface on dom0 called eth1. >I must have misinterpreted the documentation. I incorrectly believed the vifname parameter was used to assign the interface name in the DomU.>> Can someone share what syntax combination or steps I need to follow in >> order >> to obtain a DomU with three interfaces; one of which is "real" as a >> result >> of PCI pass through and two which are virtual interfaces? > > Give the virtual interfaces static MAC, and lookup Debian''s > documentation on how to assign a static name to a specific MAC. > On a side note, I believe you could also dump PCI passthrough, and > simply create another bridge on dom0, using that physical interface, > with no IP address (at least this works on RHEL and Ubuntu). That way > all interfaces will be virtual (vif), and you can adjust which one is > listed first on domU config. >As I mentioned before, my ultimate goal is to configure a standard three interface firewall within the DomU. Most of the information I have found on the subject suggests the most secure way to accomplish this is to dedicate the interface connected to the Internet to the DomU using PCI passthrough. The other two interfaces (DMZ & LAN) would be virtual interfaces bridged to the Dom0. I am open to other concepts for creating a firewall DomU if anyone cares to share their configurations.> -- > Fajar >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Christian Fischer
2009-Jul-31 19:46 UTC
Re: [Xen-users] Network Interface Problems for DomU Firewall
On Friday 31 July 2009, Tom Jensen wrote:>[snip]> > As I mentioned before, my ultimate goal is to configure a standard three > interface firewall within the DomU. Most of the information I have found > on the subject suggests the most secure way to accomplish this is to > dedicate the interface connected to the Internet to the DomU using PCI > passthrough. The other two interfaces (DMZ & LAN) would be virtual > interfaces bridged to the Dom0. I am open to other concepts for creating > a firewall DomU if anyone cares to share their configurations.How about to have the firewall inside dom0? If it hasn''t more to do than routing/firewalling i think a separate domU is a bit blown. You could replace /etc/xen/scripts/network-bridge with a dummy script (always exit 0, no interface renaming), create simple bridges eg. brnet (bridge interfaces eth0), brlan/brdmz (no bridge interfaces, no ip) and add the domU vifs to these bridges. You could now firewall inside the bridges. Have a look at http://www.shorewall.net/manpages/shorewall-hosts.html if you use it. Works fine. Christian> > > -- > > Fajar > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users-- "Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid." --- Frank Vincent Zappa _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
xensource@pivert.org
2009-Aug-01 18:10 UTC
Re: [Xen-users] Network Interface Problems for DomU Firewall
Hi, I ran with such a config for about 3 years on my home network without problem : - Linux with shorewall in a domU - PCI pass through for the ethernet card connected to internet. - Two bridges : br-dmz and br-loc configured at the OS level on dom0. (disabled the network-bridge script). - As all my dmz host were domU, there was no physical interface linked to the br-dmz bridge. - All guests paravirtualized. (no virtualization support in my CPU at that time). Nothing to say, this just worked. AFAIR, I had some problems with the pci passthrough that I solved by using a different brand for the ethernet card connected to internet. This is probably fixed now. Some 5 months ago, I had to migrate to KVM/libvirt because of lack of support for ivtv and nvidia in a xen dom0. I had to use a bridge for the connection to internet interface, this works too. François. ----- Original Message ----- From: "Christian Fischer" <Christian.Fischer@fischundfischer.com> To: xen-users@lists.xensource.com Sent: Friday, 31 July, 2009 21:46:04 GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: Re: [Xen-users] Network Interface Problems for DomU Firewall On Friday 31 July 2009, Tom Jensen wrote:>[snip]> > As I mentioned before, my ultimate goal is to configure a standard three > interface firewall within the DomU. Most of the information I have found > on the subject suggests the most secure way to accomplish this is to > dedicate the interface connected to the Internet to the DomU using PCI > passthrough. The other two interfaces (DMZ & LAN) would be virtual > interfaces bridged to the Dom0. I am open to other concepts for creating > a firewall DomU if anyone cares to share their configurations.How about to have the firewall inside dom0? If it hasn''t more to do than routing/firewalling i think a separate domU is a bit blown. You could replace /etc/xen/scripts/network-bridge with a dummy script (always exit 0, no interface renaming), create simple bridges eg. brnet (bridge interfaces eth0), brlan/brdmz (no bridge interfaces, no ip) and add the domU vifs to these bridges. You could now firewall inside the bridges. Have a look at http://www.shorewall.net/manpages/shorewall-hosts.html if you use it. Works fine. Christian> > > -- > > Fajar > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users-- "Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid." --- Frank Vincent Zappa _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2009-Aug-03 02:51 UTC
Re: [Xen-users] Network Interface Problems for DomU Firewall
On Sat, Aug 1, 2009 at 1:54 AM, Tom Jensen<tom.jensen@digitaltoolbox-inc.com> wrote:> As I mentioned before, my ultimate goal is to configure a standard three > interface firewall within the DomU. Most of the information I have found > on the subject suggests the most secure way to accomplish this is to > dedicate the interface connected to the Internet to the DomU using PCI > passthrough.It depends on how you define "secure" :)> The other two interfaces (DMZ & LAN) would be virtual > interfaces bridged to the Dom0. I am open to other concepts for creating > a firewall DomU if anyone cares to share their configurations.In my setup, in terms of networking I look at dom0 as an L2 switch. It has one or more uplink trunk interfaces (the physical interface), several access or trunk downlink interfaces (the bridges and domU interfaces), and (optionally) one dedicated management link with a management IP. So for the internet link I simply create another bridge on dom0, but without an IP address. This is similar to the way an L2 switch can have a vlan containing internet traffic, but the switch itself does not have a public IP address. I find this setup easier to manage (since it''s similar to a real physical setup), plus I''m not limited to the number of physical interface on dom0. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Reasonably Related Threads
- How to know which interface DomU sees the Vif device
- Bug#1042842: network interface names wrong in domU (>10 interfaces)
- xen domU ID and static routing
- Multiple Network Cards + Multiple Bridges on debian lenny
- Fully virtualized domU Linux network (VLAN) trouble