>> I am considering running several virtual servers on one box, all >> linux for host and virtual machines using VirtualBox. >> >> Is it possible/advisable to configure shorewall on the host to act >> as a firewall for the virtual machines, each having one or more >> static public IP address? > > I run Shorewall on hosts with numerous OpenVZ and KVM guests. For > full hardware virt, I strongly recommend a supported hypervisor (KVM > or Xen) managed by libvirt.
The original question has been one that's been keeping me busy forever so I'll just share some of my ideas. But beware: they are always in flux and never complete, you'll see what I mean :) I have been using virtualisation since somewhere in 2008 and for a pretty long while now I am using 'plain Xen'. Really good results performance wise and I appreciate the separation of hypervisor and OS (plural). I wanted to keep dom0 as "dumb" as possible so managing domU hardware, starting/stopping clients, that kind of thing but nothing more. The host (dom0) runs openvswitch, quote: "a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license." It looks like this will be included in Linux kernel 3.3. With it one can create any number of virtual bridges and they a lot more control than generic Linux bridges. Openvswitch seems to support VLAN and QinQ but I'll skip this lest I will make it too obvious that I'm just repeating what the label says... I'll admit that I know zilch about VLAN. Now when I say 'bridge' I mean something that is only visible in dom0. None of the domU's see any bridge, they just see their own nic i.e. eth0, maybe eth1. On this system I am making use of pfsense but sure, you can use Shorewall with ease. Before illustrating it I'll describe it some more, the idea here is - one subnet per bridge; one firewall nic per subnet; and one subnet has either a single client or multiple clients. Dom0's eth0 is a port on an ovs bridge and so is the firewall's virtual nic That means that you see data center traffic on the firewall's eth0 port. Then, In the case of multiple clients on one bridge, this can be 192.168.1.0/24. This subnet can have multiple "virtual workstations" that are free to talk with each other by design. They all share one bridge, invisible to them, on which the domU firewall also resides. If you need client firewalling here then it must be setup by the client. Although it's even better if people learn to simply not bind services to the wildcard or LAN IP if they shouldn't be reachable. A single client per bridge is for hosts that are reachable on globally reachable IP addresses. Rule of thumb: One public address is regarded as one subnet thus its own bridge. This makes it a lot harder to reach other hosts because they will have to do it through the firewall. That's why I don't simply hook all of them onto one bridge. So: global IP -> 1:1 NAT translation -> /31 (PtP) subnet. Here's the diagram, simple and ugly so hereby declared public domain (hehe). Here I try to illustrate the geste. One dom0, one dedicated firewall, three "workstations", four publicly reachable servers = nine servers on the same metal. http://imgur.com/cwClE In my case the domU's are not meant to all run as fully configured web/mail/database servers. Each server is quite narrow in scope, compare it to FreeBSD with jails on steroids where one jail runs a webserver and the other a mail hub. I hope this is of some benefit to OP and I also would appreciate to learn quirks, holes or stupidities of this approach, networking or otherwise because I am still looking to improve this scheme. Can I benefit from 'virtual VLANs?' Unless the list admin frowns on the discussion of this due to off topic nature... in which case 'reply' will still do rather than 'reply all.' :) Mark ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
