[Lxc-users] Firewalling ...

Bodhi Zazen bodhi.zazen at montanalinux.org
Fri Jul 2 15:13:31 UTC 2010


In general, if I were managing the containers I would configure the firewall on the host as you suggest. 

With that general advice, additional considerations include 

- Can use NAT for your guests ?

- Do you want your guests to be private or public ?

- How uniform are your containers ? Do they all have the same firewall needs ? Are they web servers that can be serviced by a reverse proxy ? What services are you running in the containers ?

- What are you wanting to accomplish with a firewall ?

Just some initial considerations.



----- Original Message -----
From: "Gordon Henderson" <gordon at drogon.net>
To: lxc-users at lists.sourceforge.net
Sent: Friday, July 2, 2010 8:09:52 AM
Subject: Re: [Lxc-users] Firewalling ...

On Fri, 2 Jul 2010, Daniel Lezcano wrote:

> On 07/02/2010 03:06 PM, Gordon Henderson wrote:
>> Further to my logging stuff, which I seem to be able to get round now, I'm
>> now wondering about the issues surrounding firewalling - wondering if it
>> might be more efficient to have one firewall on the host which hooks into
>> the forwarding table, (eth0 rather than br0?) or individual firewalls on
>> each container - all doing more or less the same thing....
>> 
>> Any thoughts/comments?
>> 
>
> I didn't look at the netfilter code within the kernel but at the first glance 
> if the tables are 'namespacized', it would be more efficient to have the 
> iptables rules per container because the tables will be smaller and then the 
> lookup faster but *maybe* at the cost of an extra memory consumption. In the 
> other hand, it could be preferable to keep all on the host to centralize the 
> administration in a single network stack, that could be easier to configure. 
> Moreover if there is a large number of container, hence a big number of veth 
> attached to the bridge, the sooner the packet is dropped the better it is, 
> that should reduce the packet processing on the bridge (eg. prevent to find 
> the dest interface, deliver the packet to it, which result to a drop).
>
> IMHO it's a decision to be made against the containers number vs iptable 
> rules number.
>
> Well these are random thoughts and assumptions, so don't give too much credit 
> to it ;)

Always good to have another view on things though!

FWIW: I'm looking at up to 20 containers in a host for this application. 
(virtual asterisk servers) and I'm probably leaning towards centralised 
administration more than anything else...

Thanks,

Gordon

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Lxc-users mailing list
Lxc-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users




More information about the lxc-users mailing list