On Tue, Aug 16, 2011 at 09:33:55PM -0400, John Pierce wrote:
> Hi all,
> This may have been asked before so I apologize if so. I've just
> yet to find an answer or possible solution.
> I have a single VServer host that has multiple NICs in it.
> One NIC is for "untrusted traffic" (think DMZ) and another
> NIC is for "trusted traffic" (think LAN).
> I'd like to run some vservers in my DMZ on eth0 and some
> vservers in my LAN and route traffic between the vservers
> which happen to run on the same host through the firewall
> device I have.
I presume the 'firewall device' is something sitting somewhere
on both networks, the DMZ and the LAN, yes?
> That way all my firewall rules exist in one place for my
> network.
> Well, if you haven't already guessed, this works just fine if
> you have two VServer hosts, one dedicated for the DMZ vservers
> and one dedicated for the trusted LAN vservers.
> Good security design aside, I just happen to think for a small
> lab that I'm running, I'd really like to be able to collapse
> the technical requirement for two separate hosts to just one
> VServer host with both DMZ and LAN NICs. But when I do that, of
> course, the local Linux routing table takes over and traffic
> from a DMZ vserver that needs to go to a backend LAN vserver
> just doesn't leave the host machine like I'd want it to.
you should be able to accomplish this with network namespace
(which are already working with a recent Linux-VServer
kernel and will probably be supported soon by util-vserver)
> I've seen some articles about how to do this by patching the kernel.
> See http://www.linuxquestions.org/questions/linux-networking-3/multihomed-machine-and-local-ip-addresses-597741/
> and then see the patch called send-to-self here:
> http://www.ssi.bg/~ja/#loop
> Is it possible that this patch could be considered so that
> VPS hosters like me could use a single VServer host and yet
> still route the traffic off the machine to the network?
the patch for 3.x looks rather trivial, so assuming that
you will do extensive testing and report back your findings
I would consider adding this to the experimental patch
series at least (assuming it actually helps and maybe with
some more ifdef magic for enabling/disabling it at buildtime)
> This is conceptually how VMware ESXi works (i.e. a DMZ and a
> trusted LAN VM could be running on the same host yet traffic
> between the two is isolated and controlled via the network
> topology that has been established).
> It'd really make my day and help me avoid security issues where
> traffic between vservers that happen to run on the same VServer
> host don't leak across the local routing table on the host.
the first step (maybe already done on your side) would be
to test the patch (which should apply fine to a Linux-VServer
patched kernel) and let us know how it goes ...
(e.g. make a wiki page with the steps required to set it up)
> Hoping for a favorable opinion from others....
best,
Herbert
> Regards,
> John
> We can't solve problems by using the same kind of thinking we
> used when we created them. -- Albert Einstein
Received on Wed Aug 17 13:52:34 2011