Hi All
My servers are all CentOS5 and the intention is to run several DomU servers
(all CentOS5) and the Endian Firewall on one of these servers.
I currently use EFW as my firewall on a separate PC and want to move this to a
Xen DomU, I also wanted to install the most recent version of EFW so before
going any further I made a backup of my firewall settings (saves having to
start from scratch later on). For my set-up I want to use VMware Server (you
could also use Virtual Box) to install the new EFW on and then move a copy of
it to the new EFW DomU,
The hardware that I'm installing xen and the EFW DomU on is a Dell 1600SC
2x2.4Ghz Xeon processors & 3GB RAM with a SCSI drive for boot and a pair of
SCSI drives in RAID1 (software) configuration with LVM for the DomU volumes.
The networking set-up will be as follows:
1. eth0 connected to my LAN with a fixed IP for my subnet (192.168.1.15 in my
case) and set to start at boot, I've also set it to bind to the MAC address of
my LAN NIC.
2. eth1 will be connected to my ADSL line and I have set it as fixed IP but
given it no IP address and disabled from starting at boot. I'm not sure if
having no IP creates any security exposure (perhaps an IP not in my subnet
might be better?) when xen gets hold of the NIC and starts it, perhaps someone
could comment on this?
The following steps are what I used to get this working:
1. Install your choice of VMWare or Virtual Box on a workstation then mount the
EFW iso image as a CD drive and boot the virtual machine, commence the install
of EFW (use the non-Xen kernel).
2. When the installation is finished reboot the VM and login as root. We need
to move this installation to Dom0, create a directory /tar and save all the
files in there as an archive with the following command:
$tar -cSp --numeric-owner --atime-preserve -f /tar/efw.tar /
3. To copy this to your Dom0 you can use scp with this command (use the IP of
your Dom0 instead of 192.168.1.15):
$scp /tar/efw.tar [EMAIL PROTECTED]:~
That file will be copied to the home diretory of root on you Dom0.
4. On the Dom0 I set-up the raid earlier (a usefule link to RAID & LVM here:
http://www.gagme.com/greg/linux/raid-lvm.php#expanding) so now I need to create
the volumes with the following commands:
$pvcreate /dev/md4 -- create the physical volume
$vgcreate lvm-raid /dev/md4 -- create the volume group
$lvcreate -L 6G lvm-raid -n efw.root -- create a logical volume of 6GB
(choose your own size)
$lvcreate -L 100MB lvm-raid -n efw.var -- separate logical volume for the
/var directory
$lvcreate -L512MB lvm-raid -n efw.swap -- separate logical volume for our
swap file (we'll create that later)
5. You need to create a file system on any logical volumes you've created:
$mkfs -t ext3 /dev/lvm-raid/efw.root
6. Once thats done we can copy our new efw installation to our logical volume
so we now need to mount that with:
$mount /dev/lvm-raid/efw.root /mnt/efw -- obviously choose your own
location to mount that LV.
$cd /mnt/efw -- chnage to the new directory
then we can extract the files from our archive with:
$tar -xSpv --atime-preserve -f /root/efw.tar
I can't remember why I did this but I created a separate logical volume for the
/var directory, you'll also need to mount that and copy the /var directory and
it's contents from the efw.root LVM to the efw.var LVM. If you don't use the
separate LVM for /var don't forget to modify your fstab to reflect it later.
7. Now we need to install the Xen Kernel. I did this by mounting the EFW iso
image and extracting the kernel RPMs from that and then copying them to the
logical volume. Once that's been done you can install the kernel with the
following:
$chroot /mnt/efw
$rpm -Uvh kernel-xenU-2.6.9-55.EL.endian19.i386.rpm --nodeps
$exit #(leave the chroot)
To boot as a DomU you'll need to copy the vmlinuz and initrd to your Dom0 boot
partition with:
$cp /mnt/efw/boot/initrd-2.6.9-55.EL.endian19-xenU.img /boot
$cp /mnt/efw/boot/vmlinuz-2.6.9-55.EL.endian19-xenU /boot
When you've done that you can create a config foile for your new firewall DomU,
this is my file:
name="efw"
kernel = "/boot/vmlinuz-2.6.9-55.EL.endian19-xenU"
ramdisk = "/boot/initrd-2.6.9-55.EL.endian19-xenU.img"
# bootloader="/usr/bin/pygrub"
memory=128
disk = [ 'phy:/dev/lvm-raid/efw.root,hda1,w',
'phy:/dev/lvm-raid/efw.swap,hda2,w', 'phy:/dev/lvm-raid/efw.var,hda4,w' ]
root="/dev/hda1 ro"
vif = [ 'bridge=xenbr0', 'bridge=xenbr1' ]
vcpus = 2
on_reboot = 'restart'
on_crash = 'restart'
Now we need to make a final modification to our /etc/fstab file for the
firewall. If it's not mounted then mount the logical volume containing efw
again:
$mount /dev/lvm-raid/efw,root /mnt/efw
Then use your favourite editor to modify the file, this is the contents of my
fstab:
/dev/hda1 / ext3 noatime 1 1
/dev/hda4 /var ext3 noatime,mand 1 1
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
/dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0
/dev/hda2 swap swap sw 0 0
Obviously save that file then 'umount /mnt/efw' as we can't start the DomU with
it still mounted. With a bit of luck and if my instructions above are correct
you should be able to start the EFW DomU later.
By default Xen only creates one bridge (xenbr0) when it's installed and you'll
need to modify a couple of scripts to get it working with two bridges. First of
all in the /etc/xen directory you'll find a script named xend-config.sxp (this
is the default bridge configuration script when you boot your server or restart
the xend service), make a modification (save a copy of the original, just in
case) to the script as follows:
Locate the following line (there are several lines like this in the file but
the one we want it should be uncommented):
(network-script network-bridge)
Comment out that line and add another one that will point to a script we'll
create in a minute, like so:
# (network-script network-bridge)
(network-script 'network-xen-two-bridge start')
Create a new script in the /etc/xend/scripts folder and give it the name you've
called it above (network-xen-two-bridge), copy-paste the following into the new
script:
#!/bin/sh
dir=$(dirname "$0")
# setup standard network config for xenbr0
"$dir/network-bridge" "$@" vifnum=0 bridge=xenbr0 netdev=eth0
# Call network-fw script to add my configuration
# setup XEN network for firewall gateway with 2 zones (Internet, LAN)
"$dir/network-fw" "$@" vifnum=1 bridge=xenbr1 reddev=eth1 fwgw=192.168.1.1
The final script is one provided on Neobiker's Wiki here:
http://www.neobiker.de/wiki/index.php?title=XEN_Netzwerk_f%C3%BCr_Firewall and
I've used it 'as is'. I use it to provide a two zone (internet & LAN) firewall
but you can use it for more zones. You should copy that script and save it it
the same directory as the previous script with the name network-fw - that's all
for the scripts. Not too difficult (for me, anyway). :)
Make sure you've plugged your ADSL cable into eth1 then reboot your server
check that it boots into the xen kernel OK. If that works then at a terminal
type the following:
xm create efw -- this should crate a running DomU with efw
xm list -- will list the running DomUs on your server
Check the Bridges have been created correctly with:
$cd /etc/xen/scripts
$./network-xen-two bridge status
That should display some output like this:
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
link/ether 00:c0:9f:35:46:15 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.5/24 brd 192.168.1.255 scope global eth0
13: xenbr1: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
bridge name bridge id STP enabled interfaces
xenbr0 8000.feffffffffff no vif20.0
vif8.0
vif4.0
peth0
vif0.0
xenbr1 8000.feffffffffff no vif8.1
eth1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.5
169.254.0.0/16 dev eth0 scope link
default via 192.168.1.1 dev eth0
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
============================================================
If it does, congratulations, that means both bridges are running and you should
have a firewall running in DomU.
One thing we haven't done at this point is to create a swap file for the EFW
DomU. Although we modified the fstab to specify a swap (I think Linux
complains but will still run OK) you need to login to your EFW as root and then
do the following:
$mkswap /dev/hda2
$swapon /dev/hda2
You should now have a (working) swap file
One problem you may encounter is that your Dom0 (or any other DomU connected to
the bridge on eth0) has no internet access after getting EFW running in the
DomU. This probably is a the NIC causing the problem, you can check the by
doing 'tcpdump -nvvi eth0' in your Dom0 and then initiating some traffic, you
can run a 'traceroute microsoft.com' and see what output tcpdump gives, if
there's any error about 'bad chksum' then you need to modify your NIC driver.
The problem is caused by checksum offloading in the NIC driver and you can
check it with the following commands:
$ethtool -k eth0 -- display the setting for your driver, you should see
something like this:
tx-checksumming: on
If that's the case, disable it with:
$ethtool -K eth0 tx off
Check again with tcpdump to see if the error is resolved, if it is then you may
need to disable that feature in all of the running DomUs, you can add that
command to /etc/rc.d/rc.local file so it's changed at boot.
A few words of thanks: to Marz (a member of these lists) without whose
invaluable help I never would have worked out how to copy a VMware install to
the DomU; Neobiker for the scripts and a great site (even though I don't read
German, google translator was very helpful). Lastly there's a post on the
xen-users list from Geert Janssens here
http://lists.xensource.com/archives/html/xen-users/2007-05/msg00405.html that
gave me the final link for my set-up (and actually described what I wanted in
this diagram
http://lists.xensource.com/archives/html/xen-users/2007-05/pngO3nr4Ts1hL.png ).
Of course a big thank you goes to the developers of EFW for a great product.
I still fairly new to Linux & Xen so I hope my instructions aren't too
confusing. If there's any questions or glaring errors/omissions please let me
know. If it works for you, enjoy :-)
Regards
Bill
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Efw-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/efw-user
