<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <article> <!--$Id$--> <articleinfo> <title>Xen and Shorewall</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <copyright> <year>2006</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <caution> <para>This article applies to <emphasis role="bold">Shorewall 3.0.6</emphasis> and later. If you are running a version of Shorewall earlier than Shorewall 3.0.6, you will need to upgrade to that version.</para> </caution> <section> <title>Xen Network Environment</title> <para><ulink url="http://www.cl.cam.ac.uk/Research/SRG/netos/xen/">Xen</ulink> is a <firstterm>paravirtualization</firstterm> tool that allows you to run multiple virtual machines on one physical machine. It is available on a wide number of platforms and is included in recent <trademark>SUSE</trademark> distributions.</para> <para>Xen refers to the virtual machines as <firstterm>Domains</firstterm>. Domains are numbered with the first domain being domain 0, the second domain 1, and so on. Domain 0 (<firstterm>Dom0</firstterm>) is special because that is the domain created when to machine is booted. Additional domains (called <firstterm>DomU</firstterm>'s) are created using the <command>xm create</command> command from within Domain 0. Additional domains can also be created automatically at boot time by using the <command>xendomains</command> service.</para> <para>Xen virtualizes a network interface named <filename class="devicefile">eth0</filename><footnote> <para>This assumes the default Xen configuration created by <command>xend </command>and assumes that the host system has a single ethernet interface named <filename class="devicefile">eth0</filename>.</para> </footnote>in each domain. In Dom0, Xen also creates a bridge (<filename class="devicefile">xenbr0</filename>) and a number of virtual interfaces as shown in the following diagram.</para> <graphic align="center" fileref="images/Xen1.png" /> <para>I use the term <firstterm>Extended Dom0</firstterm> to distinguish the bridge and virtual interfaces from Dom0 itself. That distinction is important when we try to apply Shorewall in this environment.</para> <para>The bridge has a number of ports:</para> <itemizedlist> <listitem> <para>peth0 — This is the port that connects to the physical network interface in your system.</para> </listitem> <listitem> <para>vif0.0 — This is the bridge port that is used by traffic to/from Domain 0.</para> </listitem> <listitem> <para>vifX.0 — This is the bridge port that is used by traffic to/from Domain X.</para> </listitem> </itemizedlist> </section> <section> <title>Configuring Shorewall in Dom0</title> <para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ 2</ulink>, I object to running servers in a local zone because if the server becomes compromised then there is no protection between that compromised server and the other local systems. Xen allows you to safely run Internet-accessible servers in your local zone by creating a firewall in (the Extended) Dom0 to isolate the server(s) from the other local systems (including Dom0).</para> <caution> <para>I find Xen Domain 0 to be an arcane environment in which to try to use Netfilter (and hence Shorewall). As the number of interfaces and bridges increase, complexity increases geometrically. I recommend following this guide only if you really need to place a public server in your local network. Otherwise, the <ulink url="XenMyWay.html">way that I use Xen</ulink> is much more straight-forward.</para> </caution> <warning> <para>I know of no case where a user has successfully used NAT (including Masquerade) in a bridged Xen Dom0. So if you want to create a masquerading firewall/gateway using Xen, you need to do so in a DomU (see <ulink url="XenMyWay.html">how I do it</ulink>) or you must configure Xen to use routing and NAT rather than the default bridging.</para> </warning> <para>Here is an example. In this example, we will assume that the system is behind a second firewall that restricts incoming traffic so that we only have to worry about protecting the local LAN from the systems running in the DomU's.</para> <section> <title>/etc/shorewall/shorewall.conf</title> <para>Because Xen uses normal Linux bridging, you must enable bridge support in shorewall.conf</para> <blockquote> <programlisting>BRIDGING=Yes</programlisting> </blockquote> </section> <section> <title>/etc/shorewall/zones</title> <para>One thing strange about configuring Shorewall in this environment is that Dom0 is defined as two different zones. It is defined as the firewall zone and it is also defined as "all systems connected to <filename class="devicefile">xenbr0:vif0.0</filename>. In this case, I call this second zone <emphasis role="bold">ursa</emphasis> (which was the name given to the virtual system running in Dom0 when I ran this configuration); that zone corresponds to Dom0 as seen from the outside in the diagram above (see more <link linkend="zones">below</link>).</para> <blockquote> <programlisting># OPTIONS OPTIONS fw firewall #Domain 0 ursa ipv4 #Domain 0 on the bridge dmz ipv4 #Server(s) running in Domains other than 0 net ipv4 #The local LAN and beyond #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting> </blockquote> </section> <section> <title>/etc/shorewall/interfaces</title> <para>We must deal with two network interfaces. We must deal with the (virtualized) eth0 and we must also deal with the bridge (xenbr0) created by Xen.</para> <blockquote> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS - xenbr0 - dhcp net eth0 detect dhcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> </blockquote> </section> <section> <title>/etc/shorewall/hosts</title> <para>Here we define the zones <emphasis role="bold">ursa</emphasis> and <emphasis role="bold">dmz</emphasis> and we extend the definition of the zone <emphasis role="bold">net</emphasis>.<blockquote> <programlisting>#ZONE HOST(S) OPTIONS ursa xenbr0:vif0.0 dmz xenbr0:vif+ routeback net xenbr0:peth0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting> </blockquote></para> <para>Note that the <emphasis role="bold">net</emphasis> zone has two different interfaces. From the point of view of Dom0 (which is where Shorewall runs), the <emphasis role="bold">net</emphasis> zone comprises everything except Dom0. From the point of view of the Extended Domain 0, the <emphasis role="bold">net</emphasis> zone is everything connected (directly or indirectly) to the <filename class="devicefile">peth0</filename> port on the bridge.</para> </section> <section> <title>/etc/shorewall/policy</title> <para>The policies shown here effectively isolate Domains 1...N.</para> <blockquote> <programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL all fw ACCEPT fw all ACCEPT ursa all ACCEPT net ursa ACCEPT net net NONE all all REJECT info #LAST LINE -- DO NOT REMOVE </programlisting> </blockquote> </section> <section> <title>/etc/shorewall/rules</title> <para>These rules determine the traffic allowed into and out of the <emphasis role="bold">dmz</emphasis> zone.</para> <blockquote> <programlisting># # "Net' to DMZ # ACCEPT net dmz udp domain ACCEPT net dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128 Trcrt/ACCEPT net dmz # # DMZ to 'Net' # ACCEPT dmz net:!192.168.0.0/22 udp domain,ntp ACCEPT dmz net:!192.168.0.0/22 tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,rsync,cvspserver,2702,2703,8080 ACCEPT dmz net:$POPSERVERS tcp pop3 Ping/ACCEPT dmz net Ping/ACCEPT dmz ursa</programlisting> </blockquote> <para>Here, 192.168.0.0/22 comprises the local network.</para> <para id="zones">From the point of view of Shorewall, the zone diagram is as shown in the following diagram.</para> <graphic align="center" fileref="images/Xen2.png" /> <para>Note that the <emphasis role="bold">ursa</emphasis> zone subsumes the <emphasis role="bold">fw</emphasis> zone because the <emphasis role="bold">ursa</emphasis> zone is defined to be all systems that interface to xenbr0's vif0.0 port — it is the rules governing traffic to/from the <emphasis role="bold">ursa</emphasis> zone that protect the firewall in this configuration.</para> <para>More elaborate configurations are possible as described in my <ulink url="XenMyWay.html">Xen and the Art of Consolidation</ulink> article.</para> </section> </section> </article>