<< Back to man.ChinaUnix.net

Xen and Shorewall

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2006-04-28


Table of Contents

Xen Network Environment
Configuring Shorewall in Dom0
/etc/shorewall/shorewall.conf
/etc/shorewall/zones
/etc/shorewall/interfaces
/etc/shorewall/hosts
/etc/shorewall/policy
/etc/shorewall/rules

Caution

This article applies to Shorewall 3.0.6 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.6, you will need to upgrade to that version.

Xen Network Environment

Xen is a paravirtualization tool that allows you to run multiple virtual machines on one physical machine. It is available on a wide number of platforms and is included in recent SUSE™ distributions.

Xen refers to the virtual machines as Domains. Domains are numbered with the first domain being domain 0, the second domain 1, and so on. Domain 0 (Dom0) is special because that is the domain created when to machine is booted. Additional domains (called DomU's) are created using the xm create command from within Domain 0. Additional domains can also be created automatically at boot time by using the xendomains service.

Xen virtualizes a network interface named eth0[1]in each domain. In Dom0, Xen also creates a bridge (xenbr0) and a number of virtual interfaces as shown in the following diagram.

I use the term Extended Dom0 to distinguish the bridge and virtual interfaces from Dom0 itself. That distinction is important when we try to apply Shorewall in this environment.

The bridge has a number of ports:

  • peth0 — This is the port that connects to the physical network interface in your system.

  • vif0.0 — This is the bridge port that is used by traffic to/from Domain 0.

  • vifX.0 — This is the bridge port that is used by traffic to/from Domain X.

Configuring Shorewall in Dom0

As I state in the answer to Shorewall FAQ 2, I object to running servers in a local zone because if the server becomes compromised then there is no protection between that compromised server and the other local systems. Xen allows me to safely run Internet-accessible servers in my local zone by creating a firewall in (the Extended) Dom0 to isolate the server(s) from the other local systems (including Dom0).

Caution

I find Xen Domain 0 to be an arcane environment in which to try to use Netfilter (and hence Shorewall). As the number of interfaces and bridges increase, complexity increases geometrically. I recommend following this guide only if you really need to place a public server in your local network. Otherwise, the way that I use Xen is much more straight-forward.

Here is an example. In this example, we will assume that the system is behind a second firewall that restricts incoming traffic so that we only have to worry about protecting the local LAN from the systems running in the DomU's.

/etc/shorewall/shorewall.conf

Because Xen uses normal Linux bridging, you must enable bridge support in shorewall.conf

BRIDGING=Yes

/etc/shorewall/zones

One thing strange about configuring Shorewall in this environment is that Dom0 is defined as two different zones. It is defined as the firewall zone and it is also defined as "all systems connected to xenbr0:vif0.0. In this case, I call this second zone ursa (which is the name given to the virtual system running in Dom0); that zone corresponds to Dom0 as seen from the outside in the diagram above (see more below).

#                                       OPTIONS                 OPTIONS
fw      firewall                        #Domain 0
ursa    ipv4                            #Domain 0 on the bridge
dmz     ipv4                            #Server(s) running in Domains other than 0
net     ipv4                            #The local LAN and beyond
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

/etc/shorewall/interfaces

We must deal with two network interfaces. We must deal with the (virtualized) eth0 and we must also deal with the bridge (xenbr0) created by Xen.

#ZONE   INTERFACE       BROADCAST       OPTIONS
-       xenbr0          -               dhcp
net     eth0            detect          dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/hosts

Here we define the zones ursa and dmz and we extend the definition of the zone net.

#ZONE   HOST(S)                                 OPTIONS
ursa    xenbr0:vif0.0
dmz     xenbr0:vif+                             routeback
net     xenbr0:peth0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

Note that the net zone has two different interfaces. From the point of view of Dom0 (which is where Shorewall runs), the net zone comprises everything except Dom0. From the point of view of the Extended Domain 0, the net zone is everything connected (directly or indirectly) to the peth0 port on the bridge.

/etc/shorewall/policy

The policies shown here effectively isolate Domains 1...N.

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
all             fw              ACCEPT
fw              all             ACCEPT
ursa            all             ACCEPT
net             ursa            ACCEPT
net             net             NONE
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE

/etc/shorewall/rules

These rules determine the traffic allowed into and out of the dmz zone.

#
# "Net' to DMZ
#
ACCEPT          net                dmz                     udp     domain
ACCEPT          net                dmz                     tcp     www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
Trcrt/ACCEPT    net                dmz
#
# DMZ to 'Net'
#
ACCEPT          dmz                net:!192.168.0.0/22     udp     domain,ntp
ACCEPT          dmz                net:!192.168.0.0/22     tcp     echo,ftp,ssh,smtp,whois,domain,www,81,https,rsync,cvspserver,2702,2703,8080
ACCEPT          dmz                net:$POPSERVERS         tcp     pop3
Ping/ACCEPT     dmz                net

Ping/ACCEPT     dmz                ursa

Here, 192.168.0.0/22 comprises my local network.

From the point of view of Shorewall, the zone diagram is as shown in the following diagram.

Note that the ursa zone subsumes the fw zone because the ursa zone is defined to be all systems that interface to xenbr0's vif0.0 port — it is the rules governing traffic to/from the ursa zone that protect the firewall in this configuration.

More elaborate configurations are possible as described in my Xen and the Art of Consolidation article.



[1] This assumes the default Xen configuration created by xend and assumes that the host system has a single ethernet interface named eth0.