After setting up xen and configuring buildbot on a xen guest domain, I decided it was time to bite the bullet and setup shorewall to hide the xen guest domains behind a private network.

By the way, there are some nice guides on setting up shorewall with xen:

• Strong Firewall in a Routed Xen Dom0
• Xen and the Art of Consolidation
• Xen and Shorewall

In the process I had to reconfigure Xen to use routed networking rather then bridged:

Changed (/etc/xen/xend-config.sxp) from:

(network-script network-bridge)
(vif-script vif-bridge)

To:

(network-script network-route)
(vif-script vif-route)

After setting up shorewall properly and being able to log into two different Debian etch guest domains, I noticed that my previously working WinXP hvm was not starting up properly. When I looked into it further I found the following in /var/log/xen/qemu-dm.11384.log

domid: 20
qemu: the number of cpus is 1
/etc/xen/scripts/qemu-ifup: could not launch network script
Could not initialize device ‘tap’

Tap device cure (found here):

tunctl -t tap0

The final piece of the puzzle (since I’m using the routed script with xen)…

Comment out “brctl addif $2 $” from /etc/xen/scripts/qemu-ifup as mentioned by George in this mailing list thread.

UPDATE (2007Feb12): By doing the above two tasks, I was able to launch WinXP under Xen, but I did not have shorewall setup properly. To save time and money, I’m going with the simpler route of buying a hardware firewall/router. I will leave the information above incase it is useful to anyone (including myself) in the future.