Thank you for your reply.
I was just thinking it might be too complicated to define zones, policies and rules if i am to do firewalling at the Dom 0 level. It would be too complex as I have six network cards and six ethernet bridges at the Dom 0 level.
Just to confirm your point #2:
Dom 0 - eth0 / xenbr0 only - eth0 configured as 192.168.1.1 for management purposes. This will be the only interface for Dom 0. Firewalling in Dom 0 is only for eth0. Perhaps open ports for ssh only.
eth1 / xenbr1 - no IP address configured in Dom 0 - reserved for virtual machine Dom 1
eth2 / xenbr2 - no IP address configured in Dom 0 - reserved for virtual machine Dom 2
eth3 / xenbr3 - no IP address configured in Dom 0 - reserved for virtual machine Dom 3
eth4 / xenbr4 - no IP address configured in Dom 0 - reserved for virtual machine Dom 4
eth5 / xenbr5 - no IP address configured in Dom 0 - reserved for virtual machine Dom 5
Thus I will configure IP address for the virtual eth0 inside virtual machines and do firewalling for eth0 inside VMs.
Hope I understood correctly.
When I configured Dom 1 as 192.168.1.2/255.255.255.0, I couldn't ping Dom 1 from Dom 0. Similarly, I could not ping Dom 0 from Dom 1. I get Destination Host Unreachable error messages. Any fix?
Teo En Ming wrote:
>I have a 64-bit server running RHEL 5 x86-84 Xen Virtualization.
>There are 6 NICs in this Xen Host.
>The interface names in Dom 0 are:
>eth0 - xenbr0 - reserved for Dom 0 Host Management Administration
>eth1 - xenbr1 - reserved for Virtual Machine #1
>eth2 - xenbr2 - reserved for Virtual Machine #2
>eth3 - xenbr3 - reserved for Virtual Machine #3
>eth4 - xenbr4 - reserved for Virtual Machine #4
>eth5 - xenbr5 - reserved for Virtual Machine #5
>How should I configure shorewall in this case of multiple nics, each
>nic being dedicated to a Virtual Machine?
You have two main options :
1) You could run shorewall in the Dom-0 and configure policies/rules
2) You don't bother trying to filter at the Dom-0 bridge level, but
instead run Shorewall on each VM - and that simply means using the
single interface config examples. Each VM will simply have a single
'eth0' and the single interface config examples should work without
I would do the latter, it's far easier to set up, plus your
firewalling is configured per VM and it's easier than keeping track
of firewall rules running on a 'machine' that is different to the
machine the services are hosted on.
As for protecting the Dom-0, you can again run Shorewall and follow
the single interface examples - just using eth0 and not assigning IP
addresses to any of the vif0.n interfaces.
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
Shorewall-users mailing list