Hi everyone, Once I roll out my Xen VPS hosting solution, I wish to provide a "managed firewall" service to my customers. What I wish to do is to use my firewall (which will sit on the edge between the ISP WAN and my VM''s LAN) to filter traffic between the WAN and the LAN VMs (this is easy), as well as filter between the VMs. Now, this "firewall" will actually be a "filtering bridge" as the VMs will be using public IPs, so the firewall''s WAN and LAN interfaces will be bridged together. My question is, how can I "force" all traffic from each VM host to go back out via the firewall? Is it just a matter of using iptables/ebtable in the bridge in the Dom0 to make sure that the vifs can only communicate with the physical interface (which will be connected to the firewall) ? I think the hardest part will be to configure the switch in such a way that it doesn''t route traffic directly to the destination VM. The firewall will be using pfsense by the way. Any help or tips is very much appreciated. Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jonathan Tripathy wrote:>Once I roll out my Xen VPS hosting solution, I wish to provide a >"managed firewall" service to my customers. What I wish to do is to >use my firewall (which will sit on the edge between the ISP WAN and >my VM''s LAN) to filter traffic between the WAN and the LAN VMs (this >is easy), as well as filter between the VMs. > >Now, this "firewall" will actually be a "filtering bridge" as the >VMs will be using public IPs, so the firewall''s WAN and LAN >interfaces will be bridged together. My question is, how can I >"force" all traffic from each VM host to go back out via the >firewall? Is it just a matter of using iptables/ebtable in the >bridge in the Dom0 to make sure that the vifs can only communicate >with the physical interface (which will be connected to the >firewall) ?For this to work, each VM must attach to a different "port" of your firewall. If the firewall were a VM on the same host then you could create a bridge per VM and connect them all to the firewall VM. But since as I read it you are using an external box, then you would need to use either a lot of real NICs, or more efficiently, use a VLAN per VM and trunk them to the switch. If you just use one virtual switch (bridge) and connect multiple VMs to it, then you are correct in saying the switch will simply forward the packets directly between the VMs. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 13/06/10 10:02, Simon Hobson wrote:> Jonathan Tripathy wrote: > >> Once I roll out my Xen VPS hosting solution, I wish to provide a >> "managed firewall" service to my customers. What I wish to do is to >> use my firewall (which will sit on the edge between the ISP WAN and >> my VM''s LAN) to filter traffic between the WAN and the LAN VMs (this >> is easy), as well as filter between the VMs. >> >> Now, this "firewall" will actually be a "filtering bridge" as the VMs >> will be using public IPs, so the firewall''s WAN and LAN interfaces >> will be bridged together. My question is, how can I "force" all >> traffic from each VM host to go back out via the firewall? Is it just >> a matter of using iptables/ebtable in the bridge in the Dom0 to make >> sure that the vifs can only communicate with the physical interface >> (which will be connected to the firewall) ? > > For this to work, each VM must attach to a different "port" of your > firewall. If the firewall were a VM on the same host then you could > create a bridge per VM and connect them all to the firewall VM. But > since as I read it you are using an external box, then you would need > to use either a lot of real NICs, or more efficiently, use a VLAN per > VM and trunk them to the switch. > > If you just use one virtual switch (bridge) and connect multiple VMs > to it, then you are correct in saying the switch will simply forward > the packets directly between the VMs. >Hi Simon, Thanks for your email. Since I have plans for up to nearly 100 VMs on the same machine, how well would Xen cope with 100 bridges? I also have another idea, so maybe you could tell me if it would work or not (Using physical firewall box): Let''s say I have just one bridge per Xen host. Could I use iptabled/ebtables to deny all inter-VM traffic? So only allow access from the VM to the physical NIC of the box? Then on the physical switch, I could put each port on a separate VLAN, but put the port that the firewall is connected to on all the VLANs. Then, I assume, the switch would send all traffic from the host ports to the firewall port, where the firewall could do filtering? I''m not sure if the firewall would even need to be VM aware.. Would that work? Or is that just a bad idea? Thanks Jonathan _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jonathan Tripathy wrote:>Since I have plans for up to nearly 100 VMs on the same machine, how >well would Xen cope with 100 bridges?No idea.>I also have another idea, so maybe you could tell me if it would >work or not (Using physical firewall box): >Let''s say I have just one bridge per Xen host. Could I use >iptabled/ebtables to deny all inter-VM traffic? So only allow access >from the VM to the physical NIC of the box? Then on the physical >switch, I could put each port on a separate VLAN, but put the port >that the firewall is connected to on all the VLANs. Then, I assume, >the switch would send all traffic from the host ports to the >firewall port, where the firewall could do filtering? I''m not sure >if the firewall would even need to be VM aware..Well the firewall will not have to be VM aware anyway - it just sees traffic on VLAN ports. As to having one bridge and VLANs, if you connect multiple VLANs to one switch then that''s the equivalent of trunking (bonding) multiple links together and won''t help. The only other way round it I can see is to use some fudging with /32 subnets for the clients so that they have no concept of there being ''neighbours'' on the local subnet (and then enforce it with iptable/ebtables rules to prevent direct host-host traffic) - but that''s beyond my experience and I don''t know how well it works or what pitfalls there may be. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Response in-line for once... -----Original Message----- From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Simon Hobson Sent: Sunday, June 13, 2010 08:32 To: xen-users@lists.xensource.com Subject: Re: [Xen-users] Managed Firewall Jonathan Tripathy wrote:>Since I have plans for up to nearly 100 VMs on the same machine, how >well would Xen cope with 100 bridges?No idea.>I also have another idea, so maybe you could tell me if it would >work or not (Using physical firewall box): >Let''s say I have just one bridge per Xen host. Could I use >iptabled/ebtables to deny all inter-VM traffic? So only allow access >from the VM to the physical NIC of the box? Then on the physical >switch, I could put each port on a separate VLAN, but put the port >that the firewall is connected to on all the VLANs. Then, I assume, >the switch would send all traffic from the host ports to the >firewall port, where the firewall could do filtering? I''m not sure >if the firewall would even need to be VM aware..Well the firewall will not have to be VM aware anyway - it just sees traffic on VLAN ports. As to having one bridge and VLANs, if you connect multiple VLANs to one switch then that''s the equivalent of trunking (bonding) multiple links together and won''t help. The only other way round it I can see is to use some fudging with /32 subnets for the clients so that they have no concept of there being ''neighbours'' on the local subnet (and then enforce it with iptable/ebtables rules to prevent direct host-host traffic) - but that''s beyond my experience and I don''t know how well it works or what pitfalls there may be. Simon, Primarily out of curiosity, are you assuming that the switch is not using VLAN tagging along with trunking? Is that even possible? Assuming tagged VLANs, I don''t see what makes you think the switch is going to break that boundary and send the data back. Even if it did, the destination domU should ignore it unless the tag was stripped by the switch. Seems to me like the switch would keep the VLANs separate and e firewall would have to function as a sort of "VLAN Router," which may or may not be possible. Dustin -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Dustin Henning Sent: Tue 15/06/2010 16:12 To: ''Simon Hobson''; xen-users@lists.xensource.com Subject: RE: [Xen-users] Managed Firewall Response in-line for once... -----Original Message----- From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Simon Hobson Sent: Sunday, June 13, 2010 08:32 To: xen-users@lists.xensource.com Subject: Re: [Xen-users] Managed Firewall Jonathan Tripathy wrote:>Since I have plans for up to nearly 100 VMs on the same machine, how >well would Xen cope with 100 bridges?No idea.>I also have another idea, so maybe you could tell me if it would >work or not (Using physical firewall box): >Let''s say I have just one bridge per Xen host. Could I use >iptabled/ebtables to deny all inter-VM traffic? So only allow access >from the VM to the physical NIC of the box? Then on the physical >switch, I could put each port on a separate VLAN, but put the port >that the firewall is connected to on all the VLANs. Then, I assume, >the switch would send all traffic from the host ports to the >firewall port, where the firewall could do filtering? I''m not sure >if the firewall would even need to be VM aware..Well the firewall will not have to be VM aware anyway - it just sees traffic on VLAN ports. As to having one bridge and VLANs, if you connect multiple VLANs to one switch then that''s the equivalent of trunking (bonding) multiple links together and won''t help. The only other way round it I can see is to use some fudging with /32 subnets for the clients so that they have no concept of there being ''neighbours'' on the local subnet (and then enforce it with iptable/ebtables rules to prevent direct host-host traffic) - but that''s beyond my experience and I don''t know how well it works or what pitfalls there may be. Simon, Primarily out of curiosity, are you assuming that the switch is not using VLAN tagging along with trunking? Is that even possible? Assuming tagged VLANs, I don''t see what makes you think the switch is going to break that boundary and send the data back. Even if it did, the destination domU should ignore it unless the tag was stripped by the switch. Seems to me like the switch would keep the VLANs separate and e firewall would have to function as a sort of "VLAN Router," which may or may not be possible. Dustin -- Simon Hobson ------------------------------------------------------------------------------------------------------------- Hi Everyone, Just to follow up on my above emails. I''ve decided to go down a much simplier route: I''m just going to add some iptables rules in the vif script for each customer. This will provide simple yet powerful filtering in the Dom0. No external firewall needed! Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Dustin Henning wrote:>> >I also have another idea, so maybe you could tell me if it would >> >work or not (Using physical firewall box): >> >Let''s say I have just one bridge per Xen host. Could I use >> >iptabled/ebtables to deny all inter-VM traffic? So only allow access >> >from the VM to the physical NIC of the box? Then on the physical >> >switch, I could put each port on a separate VLAN, but put the port >> >that the firewall is connected to on all the VLANs. Then, I assume, >> >the switch would send all traffic from the host ports to the >> >firewall port, where the firewall could do filtering? I''m not sure >> >if the firewall would even need to be VM aware.. >> >>Well the firewall will not have to be VM aware anyway - it just sees >>traffic on VLAN ports. >> >>As to having one bridge and VLANs, if you connect multiple VLANs to >>one switch then that''s the equivalent of trunking (bonding) multiple >>links together and won''t help. The only other way round it I can see >>is to use some fudging with /32 subnets for the clients so that they >>have no concept of there being ''neighbours'' on the local subnet (and >>then enforce it with iptable/ebtables rules to prevent direct >>host-host traffic) - but that''s beyond my experience and I don''t know >>how well it works or what pitfalls there may be.>Simon, >Primarily out of curiosity, are you assuming that the switch is not using >VLAN tagging along with trunking? Is that even possible? Assuming tagged >VLANs, I don''t see what makes you think the switch is going to break that >boundary and send the data back. Even if it did, the destination domU >should ignore it unless the tag was stripped by the switch. Seems to me >like the switch would keep the VLANs separate and e firewall would have to >function as a sort of "VLAN Router," which may or may not be possible. >DustinWell actually I''m not sure I fully understand the setup proposed - but I think it involved building a bridge per guest, a VLAN per bridge, and trunking the lot back to the firewall via a switch. At some point, all these VLAns are going to have to be switched together - unless you futz about with /32 subnets on the clients. Once you do that, the switches will switch the packets back in the shortest manner available - and that is unlikely to be via the firewall unless that is doing all the switching. It could work if the firewall supports that many interfaces, and you trunk all the VLANs back to it. Then you could setup intra-zone rules to control traffic between the VLANs, and hence between the guests. I see no reason why a switch shouldn''t support tagged packets over a bonded trunk. It''s just a case of whether you can actually get anything useful from doing so. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Simon Hobson Sent: Tue 15/06/2010 17:14 To: xen-users@lists.xensource.com Subject: RE: [Xen-users] Managed Firewall Dustin Henning wrote:>> >I also have another idea, so maybe you could tell me if it would >> >work or not (Using physical firewall box): >> >Let''s say I have just one bridge per Xen host. Could I use >> >iptabled/ebtables to deny all inter-VM traffic? So only allow access >> >from the VM to the physical NIC of the box? Then on the physical >> >switch, I could put each port on a separate VLAN, but put the port >> >that the firewall is connected to on all the VLANs. Then, I assume, >> >the switch would send all traffic from the host ports to the >> >firewall port, where the firewall could do filtering? I''m not sure >> >if the firewall would even need to be VM aware.. >> >>Well the firewall will not have to be VM aware anyway - it just sees >>traffic on VLAN ports. >> >>As to having one bridge and VLANs, if you connect multiple VLANs to >>one switch then that''s the equivalent of trunking (bonding) multiple >>links together and won''t help. The only other way round it I can see >>is to use some fudging with /32 subnets for the clients so that they >>have no concept of there being ''neighbours'' on the local subnet (and >>then enforce it with iptable/ebtables rules to prevent direct >>host-host traffic) - but that''s beyond my experience and I don''t know >>how well it works or what pitfalls there may be.>Simon, >Primarily out of curiosity, are you assuming that the switch is not using >VLAN tagging along with trunking? Is that even possible? Assuming tagged >VLANs, I don''t see what makes you think the switch is going to break that >boundary and send the data back. Even if it did, the destination domU >should ignore it unless the tag was stripped by the switch. Seems to me >like the switch would keep the VLANs separate and e firewall would have to >function as a sort of "VLAN Router," which may or may not be possible. >DustinWell actually I''m not sure I fully understand the setup proposed - but I think it involved building a bridge per guest, a VLAN per bridge, and trunking the lot back to the firewall via a switch. At some point, all these VLAns are going to have to be switched together - unless you futz about with /32 subnets on the clients. Once you do that, the switches will switch the packets back in the shortest manner available - and that is unlikely to be via the firewall unless that is doing all the switching. It could work if the firewall supports that many interfaces, and you trunk all the VLANs back to it. Then you could setup intra-zone rules to control traffic between the VLANs, and hence between the guests. I see no reason why a switch shouldn''t support tagged packets over a bonded trunk. It''s just a case of whether you can actually get anything useful from doing so. -- Simon Hobson ---------------------------------------------------------------------------------- Hi Simon, You are correct in what you have said, and that is the same conclusion I came to. This is why I''ve chosen to do a simplier solution: Just use iptables in each Dom0 to firewall customer VMs. All I have to do is write my own vif scripts to make it easy to configure, which shoudn''t be too hard. So if a customer wants a port blocked/opened, all I have to do is change vif script, then restart VM. What you think? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users