Sanjay Arora
2009-Aug-20 11:33 UTC
[Xen-users] Question about using Xen in a periphery firewall/router scenario
Hello All XEN newbie here. If I install minimal linux for XEN in dom0 and a periphery firewall in domU and other applications in other instances of domU, is it possible to restrict/bind the network card to domU having periphery firewall and from there forward packets for dom0 or for other domUs? Is this possible? If so, is it secure? Or does dom0 always have direct access to Network Card and needs a separate firewall? And packets will always route from dom0 to all domUs ? What are the issues involved? With best regards. Sanjay. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Simon Hobson
2009-Aug-20 12:43 UTC
Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario
Sanjay Arora wrote:>XEN newbie here.We all started there - I''m not much further on !>If I install minimal linux for XEN in dom0 and a periphery firewall in >domU and other applications in other instances of domU, is it possible >to restrict/bind the network card to domU having periphery firewall >and from there forward packets for dom0 or for other domUs? > >Is this possible? If so, is it secure? Or does dom0 always have direct >access to Network Card and needs a separate firewall? And packets will >always route from dom0 to all domUs ?OK, there are two ways to deal with this. The approach I''ve used at home is to hide a network card from Dom0 (see pic-back.hide) and pass it through to a DomU which then sees it as a native interface. I then run a firewall in the DomU and the outside traffic does NOT go through Dom0. The route for packets is then : real i/f -> DomU (firewall) -> VIF -> int bridge [ Dom0 | VIF -> DomU ] An alternative is to create more than one bridge in Dom0. The ''outside'' bridge will have members of the real network card, and the VIF for your firewall DomU. Dom0 either has no interface defined on this bridge*, or some iptables rules to block all outside traffic. The ''internal'' bridge has member interfaces for Dom0, your firewall DomU, and all other DomUs. The route for packets is then : real i/f -> ext bridge -> VIF -> DomU (firewall) -> VIF -> int bridge \ [ Dom0 | VIF -> DomU ] * Personally, I''ve never got the bridge to work this way. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2009-Aug-20 14:45 UTC
Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario
On Thu, Aug 20, 2009 at 7:43 PM, Simon Hobson<linux@thehobsons.co.uk> wrote:> Sanjay Arora wrote: >> Is this possible? If so, is it secure? Or does dom0 always have direct >> access to Network Card and needs a separate firewall? And packets will >> always route from dom0 to all domUs ? > > OK, there are two ways to deal with this.> An alternative is to create more than one bridge in Dom0. The ''outside'' > bridge will have members of the real network card, and the VIF for your > firewall DomU. Dom0 either has no interface defined on this bridge*, or some > iptables rules to block all outside traffic. The ''internal'' bridge has > member interfaces for Dom0, your firewall DomU, and all other DomUs. The > route for packets is then : > > real i/f -> ext bridge -> VIF -> DomU (firewall) -> VIF -> int bridge \ > [ Dom0 | VIF -> DomU ] >This is what I use. From security perspective, this is the same as having an L2 switch (when dom0''s bridges have no IP address) or L3 switch (when dom0''s bridges have an IP address) -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
J. Roeleveld
2009-Aug-21 10:21 UTC
Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario
On Thursday 20 August 2009 13:33:07 Sanjay Arora wrote:> Hello All > > XEN newbie here. > > If I install minimal linux for XEN in dom0 and a periphery firewall in > domU and other applications in other instances of domU, is it possible > to restrict/bind the network card to domU having periphery firewall > and from there forward packets for dom0 or for other domUs? > > Is this possible? If so, is it secure? Or does dom0 always have direct > access to Network Card and needs a separate firewall? And packets will > always route from dom0 to all domUs ? > > What are the issues involved? > > With best regards. > Sanjay.I actually set up seperate bridges for each network card I have in my Router/Firewall/Server/.... Then I hook them all into the firewall-domU and only hook the seperate domains to each bridge depending on where they belong in the network. The dom0 uses a dummy-device to be connected to one of the bridges and this works correctly for me. I do, however, set up all the bridges, apart from the one that dom0 is connected to, but that is because I haven''t figured out how to configure multiple bridges in the xen-configuration. As for how secure it is, unless there is some attack-vector that can access the dom-0 over a bridge that only has the physical network device (no ip) and the connection to the firewall-domain, this should be quite safe. In the past 4 years that I''ve been using this set-up, I have not seen any evidence of any packets reaching the dom0 other then the ones I allow through the firewall. Let me know if you want me to go more in-depth on how I set this up. HTH, Joost _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Sanjay Arora
2009-Aug-22 19:01 UTC
Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario
On Thu, Aug 20, 2009 at 6:13 PM, Simon Hobson<linux@thehobsons.co.uk> wrote:> > The approach I''ve used at home is to hide a network card from Dom0 (see > pic-back.hide) and pass it through to a DomU which then sees it as a native > interface. I then run a firewall in the DomU and the outside traffic does > NOT go through Dom0. The route for packets is then : > > real i/f -> DomU (firewall) -> VIF -> int bridge [ Dom0 | VIF -> DomU ] > >Can you advise hoe to set this up? Thanks. Sanjay. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Simon Hobson
2009-Aug-22 19:39 UTC
Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario
Sanjay Arora wrote:> > The approach I''ve used at home is to hide a network card from Dom0 (see >> pic-back.hide) and pass it through to a DomU which then sees it as a native >> interface. I then run a firewall in the DomU and the outside traffic does >> NOT go through Dom0. The route for packets is then : >> > > real i/f -> DomU (firewall) -> VIF -> int bridge [ Dom0 | VIF -> DomU ]>Can you advise hoe to set this up?Use lspci to find the PCI address of the network card. Edit your host boot menu (/boot/grub/menu.lst) to ''hide'' the device from your Dom0 like this :>title Xen 3.2-1-amd64 / Debian 2.6.18-6-xen-amd64 - Ext Eth hidden >root (hd0,0) >kernel /xen-3.2-1-amd64.gz dom0_mem=512M >module /vmlinuz-2.6.18-6-xen-amd64 root=/dev/sda3 ro >console=tty0 pciback.hide=(01:07.0)(01:06.0) >module /initrd.img-2.6.18-6-xen-amd64 >savedefaultNote : "module /vmlinuz-2.6.18-6-xen-amd64 root=/dev/sda3 ro console=tty0 pciback.hide=(01:07.0)(01:06.0)" is all on one line. In this case I''ve hidden two devices - one is a network card, the other is a TV tuner. Note that you MUST include leading zeros in the PCI address - ie 01:07.0 is valid, 1:7.0 will NOT work. Then you make the device available to a DomU like this :># Config file for Bubbles (Router) > >kernel = ''/boot/vmlinuz-2.6.18-6-xen-amd64'' >ramdisk = ''/boot/initrd.img-2.6.18-6-xen-amd64'' > >memory = ''256'' > >root = ''/dev/sda1 ro'' >disk = [ ''phy:/dev/vgmain/bubblesroot,sda1,w'', >''phy:/dev/vgmain/bubblesswap,sda2,w'', >''phy:/dev/vgbackup/bubblesbackup,sda3,w'' ] > >name = ''bubbles'' > >pci=[''01:07.0''] >vif = [ ''bridge=eth0,ip=192.168.0.2,mac=00:16:3e:35:f4:02'' ] > >on_poweroff = ''destroy'' >on_reboot = ''restart'' >on_crash = ''restart''Search for "pciback" in the Xen documentation for more info - there other ways of doing it, but this is reasonably simple to set up. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users