Building a Xen firewall with Firewall Builder

Original post date: March 30th, 2011
Updated: April 4th, 2011 (missing rule in prolog)

It's a kind of a problem to manage a firewall for a Xen dom0 with firewall builder. Xen itself adds forwarding rules when starting a virtual machines, and these rules are wiped away when fwbuilder scripts install theirs, which is unfortunate.

Summing up everything, the final plan was to install a firewall on dom0, which should a) forward to the VM the packets originating outside and directed to them (and back), and b) protect the dom0 itself.

It took me some time, experiments and advice to get it right, and here's how. …Xen mediates the connections to the virtual machines using bridging. To make the firewall work properly I needed to mark it as a bridging firewall in fwbuilder; then, I needed it to and have it to deal properly with the iptables' physdev module.

I tested some different possible solutions and also asked for advice on the fwbuilder-discussion list. Rebuilding the standard set of Xen rules is easy indeed, and the few shell script lines could easily fit an epilog script in fwbuilder. But I felt like that it was not the solution I was looking for.

So, the final plan formed with this shape:

  • set the policy to DROP
  • allow all outgoing traffic
  • forward all connections entering the machine from an external interface and wishing to go to a vif interface
  • forward all connections going out from a vif interface, wherever they want to go
  • allow connections going to the dom0 interfaces for "permitted" services
  • drop all the rest
  • Then, configure individual firewalls for each virtual machine.

The difficult part was to get the third and fourth point into place, and it's not hard. Actually, it's enough to add these two lines as a prolog:

$IPTABLES -A FORWARD -m physdev --physdev-in peth+ --physdev-out vif+  -j ACCEPT
$IPTABLES -A FORWARD -m physdev --physdev-in vif+  --physdev-out peth+ -j ACCEPT
$IPTABLES -A FORWARD -m physdev --physdev-in vif+  --physdev-out vif+  -j ACCEPT

This prolog should be set to run after policy reset.

That's all! dom0 is now properly firewalled, and you should now firewall each VM as an independent entity, applying iptables rules inside the VM.


7 thoughts on “Building a Xen firewall with Firewall Builder

  1. Hello.Do you have experience with Virtualbox?I am having difficulty applying a Firewall Builder use to the physical NIC (eth0) to prevent users from creating a virtual NIC, bridged to the Host.If I could make a 'master' iptables script to apply to the pysical interface, hopefully it would over ride any virtual guest's bridge connection.Are our objectives similar ?Thank you.

  2. Hi CelesteOriginally posted by CLoudner:

    Are our objectives similar ?

    Not really 🙂 My objective was to1) have the Xen host filter the traffic directed to it;2) have the Xen host forward the traffic directed to virtual machines so that3) each virtual machine could decide by itself what to filter and what not.At a first glance, you approach seems doable, as long as you can intercept the packets as early as possible (that is: before they are enqueued to the virtual interface), but not in the mangle table, since filtering packets there is discouraged.You'd better off asking the question to real fwbuilder+iptables experts, so please fire off your question to the list fwbuilder-discussion (see!

  3. Originally posted by CLoudner:

    Oddly enough, the fwbuilder forum references you;

    That's true. But you didn't mention Virtualbox there, and the fact that it creates a virtual interface to bridge a virtual machine to the external network, and such (I don't know if they are familiar with VBox, so it was worth mentioning it).I was a bit puzzled myself when I quickly read your question here ("how is it possible that normal users are allowed to create virtual NICs???"), and had to read a second time to fully understand what the problem was. So probably Mike Horn was mistaken when he suggested my post, which appears to be unrelated to your problem.If UFW does what you need, stick with it and you'll do the right thing. But if you have some little time, I'd suggest you go back to the forum and fully explain the problem. I am sure there is someone who can help you.In any case, good luck 😉

  4. Uhm… wait… actually, thinking about it again, maybe physdev can indeed do what you want!!!I'd have to think it through a bit, and experiment, but if all you want is to drop packets from/to a vbox VNIC, then it should be easily doable, yes. I hope to be back soon with some more info!Ciao–bronto

  5. Celeste,If you are still interested in trying to get this working using Firewall Builder we would be happy to try and help. If UFW generates the commands you need you can just send the output of iptables -L -n and explain which rules you are trying to recreate in Firewall Builder.We aren't virtualization experts, so if you are able to tell us the iptables commands you need generated we can help explain how to configure Firewall Builder to do this.Regards,-mike

  6. Thank you both for your assistance.Yes, Marco I was also surprised a normal user could create a virtual bridge interface and defeat my purpose of keeping the workstation from accessing the internet via iptables on the host.I have not adequately devoted time to physdev yet.Mike, thank you for the offer. The application of Firewall Builder is for a small office of Linux servers and Workstations with one switch and one router before the cable modem.Your product is extremely capable but I cannot convince my client it can be maintained by their freelance IT. UFW serves it's purpose and has continued to add features, i.e. pop up warnings/notices.FWB I see as a product for those with an in depth knowledge of networking protocols and routing procedures, not the the intermediate user.If I return to FWB, I will use the proper Forum boards to post for a solution.Thank you both.Celeste :p

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.