2005-12-30 20:58:22 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
|
<article>
|
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
|
|
<articleinfo>
|
|
|
|
|
<title>Xen and Shorewall</title>
|
|
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
|
<author>
|
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
|
</author>
|
|
|
|
|
</authorgroup>
|
|
|
|
|
|
2006-04-28 18:25:08 +02:00
|
|
|
<pubdate>2006-04-28</pubdate>
|
2005-12-30 20:58:22 +01:00
|
|
|
|
|
|
|
|
<copyright>
|
|
|
|
|
<year>2006</year>
|
|
|
|
|
|
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
|
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
|
License</ulink></quote>.</para>
|
|
|
|
|
</legalnotice>
|
|
|
|
|
</articleinfo>
|
|
|
|
|
|
2006-04-15 18:39:15 +02:00
|
|
|
<caution>
|
2006-04-28 18:25:08 +02:00
|
|
|
<para>This article applies to <emphasis role="bold">Shorewall
|
|
|
|
|
3.0.6</emphasis> and later. If you are running a version of Shorewall
|
|
|
|
|
earlier than Shorewall 3.0.6, you will need to upgrade to that
|
|
|
|
|
version.</para>
|
2006-04-15 18:39:15 +02:00
|
|
|
</caution>
|
|
|
|
|
|
2005-12-30 20:58:22 +01:00
|
|
|
<section>
|
|
|
|
|
<title>Xen Network Environment</title>
|
|
|
|
|
|
|
|
|
|
<para><ulink
|
|
|
|
|
url="http://www.cl.cam.ac.uk/Research/SRG/netos/xen/">Xen</ulink> is a
|
|
|
|
|
<firstterm>paravirtualization</firstterm> tool that allows you to run
|
|
|
|
|
multiple virtual machines on one physical machine. It is available on a
|
|
|
|
|
wide number of platforms and is included in recent
|
|
|
|
|
<trademark>SuSE</trademark> distributions.</para>
|
|
|
|
|
|
|
|
|
|
<para>Xen refers to the virtual machines as
|
2005-12-30 23:31:08 +01:00
|
|
|
<firstterm>Domains</firstterm>. Domains are numbered with the first domain
|
2006-02-19 18:33:42 +01:00
|
|
|
being domain 0, the second domain 1, and so on. Domain 0
|
|
|
|
|
(<firstterm>Dom0</firstterm>) is special because that is the domain
|
|
|
|
|
created when to machine is booted. Additional domains (called
|
|
|
|
|
<firstterm>DomU</firstterm>'s) are created using the <command>xm
|
|
|
|
|
create</command> command from within Domain 0. Additional domains can also
|
|
|
|
|
be created automatically at boot time by using the
|
|
|
|
|
<command>xendomains</command> service.</para>
|
2005-12-30 20:58:22 +01:00
|
|
|
|
|
|
|
|
<para>Xen virtualizes a network interface named <filename
|
2006-01-03 16:56:46 +01:00
|
|
|
class="devicefile">eth0</filename><footnote>
|
|
|
|
|
<para>This assumes the default Xen configuration created by
|
|
|
|
|
<command>xend </command>and assumes that the host system has a single
|
|
|
|
|
ethernet interface named <filename
|
|
|
|
|
class="devicefile">eth0</filename>.</para>
|
2006-04-27 17:04:43 +02:00
|
|
|
</footnote>in each domain. In Dom0, Xen also creates a bridge (<filename
|
|
|
|
|
class="devicefile">xenbr0</filename>) and a number of virtual interfaces
|
|
|
|
|
as shown in the following diagram.</para>
|
2005-12-30 20:58:22 +01:00
|
|
|
|
|
|
|
|
<graphic align="center" fileref="images/Xen1.png" />
|
|
|
|
|
|
2006-02-19 18:33:42 +01:00
|
|
|
<para>I use the term <firstterm>Extended Dom0</firstterm> to distinguish
|
|
|
|
|
the bridge and virtual interfaces from Dom0 itself. That distinction is
|
|
|
|
|
important when we try to apply Shorewall in this environment.</para>
|
2005-12-30 20:58:22 +01:00
|
|
|
|
|
|
|
|
<para>The bridge has a number of ports:</para>
|
|
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>peth0 — This is the port that connects to the physical network
|
|
|
|
|
interface in your system.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>vif0.0 — This is the bridge port that is used by traffic to/from
|
|
|
|
|
Domain 0.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>vifX.0 — This is the bridge port that is used by traffic to/from
|
|
|
|
|
Domain X.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</itemizedlist>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
2006-02-19 18:33:42 +01:00
|
|
|
<title>Configuring Shorewall in Dom0</title>
|
2005-12-30 20:58:22 +01:00
|
|
|
|
|
|
|
|
<para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
|
|
|
|
|
2</ulink>, I object to running servers in a local zone because if the
|
|
|
|
|
server becomes compromised then there is no protection between that
|
2006-01-03 16:56:46 +01:00
|
|
|
compromised server and the other local systems. Xen allows me to safely
|
|
|
|
|
run Internet-accessible servers in my local zone by creating a firewall in
|
2006-02-19 18:33:42 +01:00
|
|
|
(the Extended) Dom0 to isolate the server(s) from the other local systems
|
|
|
|
|
(including Dom0).</para>
|
2005-12-30 20:58:22 +01:00
|
|
|
|
2006-03-11 00:03:07 +01:00
|
|
|
<caution>
|
|
|
|
|
<para>I find Xen Domain 0 to be an arcane environment in which to try to
|
|
|
|
|
use Netfilter (and hence Shorewall). As the number of interfaces and
|
|
|
|
|
bridges increase, complexity increases geometrically. I recommend
|
|
|
|
|
following this guide only if you really need to place a public server in
|
|
|
|
|
your local network. Otherwise, the <ulink url="XenMyWay.html">way that I
|
|
|
|
|
use Xen</ulink> is much more straight-forward.</para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
2005-12-30 20:58:22 +01:00
|
|
|
<para>Here is an example. In this example, we will assume that the system
|
|
|
|
|
is behind a second firewall that restricts incoming traffic so that we
|
2006-03-11 00:03:07 +01:00
|
|
|
only have to worry about protecting the local LAN from the systems running
|
2006-02-19 18:33:42 +01:00
|
|
|
in the DomU's.</para>
|
2006-01-03 16:56:46 +01:00
|
|
|
|
2006-02-12 17:11:41 +01:00
|
|
|
<section>
|
|
|
|
|
<title>/etc/shorewall/shorewall.conf</title>
|
|
|
|
|
|
|
|
|
|
<para>Because Xen uses normal Linux bridging, you must enable bridge
|
|
|
|
|
support in shorewall.conf</para>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<programlisting>BRIDGING=Yes</programlisting>
|
|
|
|
|
</blockquote>
|
|
|
|
|
</section>
|
|
|
|
|
|
2005-12-30 20:58:22 +01:00
|
|
|
<section>
|
|
|
|
|
<title>/etc/shorewall/zones</title>
|
|
|
|
|
|
|
|
|
|
<para>One thing strange about configuring Shorewall in this environment
|
2006-02-19 18:33:42 +01:00
|
|
|
is that Dom0 is defined as two different zones. It is defined as the
|
2005-12-30 20:58:22 +01:00
|
|
|
firewall zone and it is also defined as "all systems connected to
|
2006-01-03 16:56:46 +01:00
|
|
|
<filename class="devicefile">xenbr0:vif0.0</filename>. In this case, I
|
|
|
|
|
call this second zone <emphasis role="bold">ursa</emphasis> (which is
|
2006-02-19 18:33:42 +01:00
|
|
|
the name given to the virtual system running in Dom0); that zone
|
|
|
|
|
corresponds to Dom0 as seen from the outside in the diagram above (see
|
|
|
|
|
more <link linkend="zones">below</link>).</para>
|
2005-12-30 20:58:22 +01:00
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<programlisting># OPTIONS OPTIONS
|
|
|
|
|
fw firewall #Domain 0
|
|
|
|
|
ursa ipv4 #Domain 0 on the bridge
|
|
|
|
|
dmz ipv4 #Server(s) running in Domains other than 0
|
|
|
|
|
net ipv4 #The local LAN and beyond
|
|
|
|
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
|
|
|
</blockquote>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>/etc/shorewall/interfaces</title>
|
|
|
|
|
|
|
|
|
|
<para>We must deal with two network interfaces. We must deal with the
|
|
|
|
|
(virtualized) eth0 and we must also deal with the bridge (xenbr0)
|
|
|
|
|
created by Xen.</para>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
|
|
|
- xenbr0 - dhcp
|
|
|
|
|
net eth0 detect dhcp
|
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
|
|
|
</blockquote>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>/etc/shorewall/hosts</title>
|
|
|
|
|
|
|
|
|
|
<para>Here we define the zones <emphasis role="bold">ursa</emphasis> and
|
|
|
|
|
<emphasis role="bold">dmz</emphasis> and we extend the definition of the
|
|
|
|
|
zone <emphasis role="bold">net</emphasis>.<blockquote>
|
|
|
|
|
<programlisting>#ZONE HOST(S) OPTIONS
|
|
|
|
|
ursa xenbr0:vif0.0
|
2006-04-28 18:29:14 +02:00
|
|
|
dmz xenbr0:vif+ routeback
|
2005-12-30 20:58:22 +01:00
|
|
|
net xenbr0:peth0
|
|
|
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
|
|
|
</blockquote></para>
|
|
|
|
|
|
|
|
|
|
<para>Note that the <emphasis role="bold">net</emphasis> zone has two
|
2006-02-19 18:33:42 +01:00
|
|
|
different interfaces. From the point of view of Dom0 (which is where
|
2005-12-30 20:58:22 +01:00
|
|
|
Shorewall runs), the <emphasis role="bold">net</emphasis> zone comprises
|
2006-02-19 18:33:42 +01:00
|
|
|
everything except Dom0. From the point of view of the Extended Domain 0,
|
|
|
|
|
the <emphasis role="bold">net</emphasis> zone is everything connected
|
|
|
|
|
(directly or indirectly) to the <filename
|
2005-12-30 20:58:22 +01:00
|
|
|
class="devicefile">peth0</filename> port on the bridge.</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>/etc/shorewall/policy</title>
|
|
|
|
|
|
|
|
|
|
<para>The policies shown here effectively isolate Domains 1...N.</para>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
|
|
|
|
# LEVEL
|
|
|
|
|
all fw ACCEPT
|
|
|
|
|
fw all ACCEPT
|
|
|
|
|
ursa all ACCEPT
|
|
|
|
|
net ursa ACCEPT
|
|
|
|
|
net net NONE
|
|
|
|
|
all all REJECT info
|
|
|
|
|
#LAST LINE -- DO NOT REMOVE
|
|
|
|
|
</programlisting>
|
|
|
|
|
</blockquote>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>/etc/shorewall/rules</title>
|
|
|
|
|
|
|
|
|
|
<para>These rules determine the traffic allowed into and out of the
|
|
|
|
|
<emphasis role="bold">dmz</emphasis> zone.</para>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<programlisting>#
|
|
|
|
|
# "Net' to DMZ
|
|
|
|
|
#
|
|
|
|
|
ACCEPT net dmz udp domain
|
|
|
|
|
ACCEPT net dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
|
|
|
|
|
Trcrt/ACCEPT net dmz
|
|
|
|
|
#
|
|
|
|
|
# DMZ to 'Net'
|
|
|
|
|
#
|
|
|
|
|
ACCEPT dmz net:!192.168.0.0/22 udp domain,ntp
|
|
|
|
|
ACCEPT dmz net:!192.168.0.0/22 tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,rsync,cvspserver,2702,2703,8080
|
|
|
|
|
ACCEPT dmz net:$POPSERVERS tcp pop3
|
|
|
|
|
Ping/ACCEPT dmz net
|
|
|
|
|
|
|
|
|
|
Ping/ACCEPT dmz ursa</programlisting>
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
2006-01-03 16:56:46 +01:00
|
|
|
<para>Here, 192.168.0.0/22 comprises my local network.</para>
|
2005-12-30 20:58:22 +01:00
|
|
|
|
2006-02-12 17:11:41 +01:00
|
|
|
<para id="zones">From the point of view of Shorewall, the zone diagram
|
|
|
|
|
is as shown in the following diagram.</para>
|
2005-12-30 20:58:22 +01:00
|
|
|
|
|
|
|
|
<graphic align="center" fileref="images/Xen2.png" />
|
2006-02-12 17:11:41 +01:00
|
|
|
|
|
|
|
|
<para>Note that the <emphasis role="bold">ursa</emphasis> zone subsumes
|
|
|
|
|
the <emphasis role="bold">fw</emphasis> zone because the <emphasis
|
|
|
|
|
role="bold">ursa</emphasis> zone is defined to be all systems that
|
|
|
|
|
interface to xenbr0's vif0.0 port — it is the rules governing traffic
|
|
|
|
|
to/from the <emphasis role="bold">ursa</emphasis> zone that protect the
|
|
|
|
|
firewall in this configuration.</para>
|
2006-02-19 18:33:42 +01:00
|
|
|
|
|
|
|
|
<para>More elaborate configurations are possible as described in my
|
|
|
|
|
<ulink url="XenMyWay.html">Xen and the Art of Consolidation</ulink>
|
|
|
|
|
article.</para>
|
2005-12-30 20:58:22 +01:00
|
|
|
</section>
|
|
|
|
|
</section>
|
|
|
|
|
</article>
|
