Xen and ShorewallTomEastep2006-04-152006Thomas M. EastepPermission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License.This article applies to Shorewall 3.0 and later. If you are running
a version of Shorewall earlier than Shorewall 3.0.0 then please see the
documentation for that release.Xen Network EnvironmentXen is a
paravirtualization tool that allows you to run
multiple virtual machines on one physical machine. It is available on a
wide number of platforms and is included in recent
SuSE distributions.Xen refers to the virtual machines as
Domains. Domains are numbered with the first domain
being domain 0, the second domain 1, and so on. Domain 0
(Dom0) is special because that is the domain
created when to machine is booted. Additional domains (called
DomU's) are created using the xm
create command from within Domain 0. Additional domains can also
be created automatically at boot time by using the
xendomains service.Xen virtualizes a network interface named eth0This assumes the default Xen configuration created by
xend and assumes that the host system has a single
ethernet interface named eth0. in each domain. In Dom0, Xen also creates a bridge
(xenbr0) and a number of virtual
interfaces as shown in the following diagram.I use the term Extended Dom0 to distinguish
the bridge and virtual interfaces from Dom0 itself. That distinction is
important when we try to apply Shorewall in this environment.The bridge has a number of ports:peth0 — This is the port that connects to the physical network
interface in your system.vif0.0 — This is the bridge port that is used by traffic to/from
Domain 0.vifX.0 — This is the bridge port that is used by traffic to/from
Domain X.Configuring Shorewall in Dom0As I state in the answer to Shorewall FAQ
2, I object to running servers in a local zone because if the
server becomes compromised then there is no protection between that
compromised server and the other local systems. Xen allows me to safely
run Internet-accessible servers in my local zone by creating a firewall in
(the Extended) Dom0 to isolate the server(s) from the other local systems
(including Dom0).I find Xen Domain 0 to be an arcane environment in which to try to
use Netfilter (and hence Shorewall). As the number of interfaces and
bridges increase, complexity increases geometrically. I recommend
following this guide only if you really need to place a public server in
your local network. Otherwise, the way that I
use Xen is much more straight-forward.Here is an example. In this example, we will assume that the system
is behind a second firewall that restricts incoming traffic so that we
only have to worry about protecting the local LAN from the systems running
in the DomU's./etc/shorewall/shorewall.confBecause Xen uses normal Linux bridging, you must enable bridge
support in shorewall.conf
BRIDGING=Yes
/etc/shorewall/zonesOne thing strange about configuring Shorewall in this environment
is that Dom0 is defined as two different zones. It is defined as the
firewall zone and it is also defined as "all systems connected to
xenbr0:vif0.0. In this case, I
call this second zone ursa (which is
the name given to the virtual system running in Dom0); that zone
corresponds to Dom0 as seen from the outside in the diagram above (see
more below).
# OPTIONS OPTIONS
fw firewall #Domain 0
ursa ipv4 #Domain 0 on the bridge
dmz ipv4 #Server(s) running in Domains other than 0
net ipv4 #The local LAN and beyond
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
/etc/shorewall/interfacesWe must deal with two network interfaces. We must deal with the
(virtualized) eth0 and we must also deal with the bridge (xenbr0)
created by Xen.
#ZONE INTERFACE BROADCAST OPTIONS
- xenbr0 - dhcp
net eth0 detect dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/hostsHere we define the zones ursa and
dmz and we extend the definition of the
zone net.
#ZONE HOST(S) OPTIONS
ursa xenbr0:vif0.0
dmz xenbr0:vif+There is a bug in Shorewall versions prior to 3.0.4 that treats all bridge ports as if they had routeback specified. I recommend that you run a Shorewall verison > 3.0.3 if you run Xen.
net xenbr0:peth0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
Note that the net zone has two
different interfaces. From the point of view of Dom0 (which is where
Shorewall runs), the net zone comprises
everything except Dom0. From the point of view of the Extended Domain 0,
the net zone is everything connected
(directly or indirectly) to the peth0 port on the bridge./etc/shorewall/policyThe policies shown here effectively isolate Domains 1...N.
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
all fw ACCEPT
fw all ACCEPT
ursa all ACCEPT
net ursa ACCEPT
net net NONE
all all REJECT info
#LAST LINE -- DO NOT REMOVE
/etc/shorewall/rulesThese rules determine the traffic allowed into and out of the
dmz zone.
#
# "Net' to DMZ
#
ACCEPT net dmz udp domain
ACCEPT net dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
Trcrt/ACCEPT net dmz
#
# DMZ to 'Net'
#
ACCEPT dmz net:!192.168.0.0/22 udp domain,ntp
ACCEPT dmz net:!192.168.0.0/22 tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,rsync,cvspserver,2702,2703,8080
ACCEPT dmz net:$POPSERVERS tcp pop3
Ping/ACCEPT dmz net
Ping/ACCEPT dmz ursa
Here, 192.168.0.0/22 comprises my local network.From the point of view of Shorewall, the zone diagram
is as shown in the following diagram.Note that the ursa zone subsumes
the fw zone because the ursa zone is defined to be all systems that
interface to xenbr0's vif0.0 port — it is the rules governing traffic
to/from the ursa zone that protect the
firewall in this configuration.More elaborate configurations are possible as described in my
Xen and the Art of Consolidation
article.