Re: [Xen-users] Recipe for 'Thin Domain 0' request

[Rik van Riel <riel@xxxxxxxxxx>]

On Sun, 3 Apr 2005, William (Andy) Smith wrote:

> I would need to prove the theory that I can isolate the NIC device and 
> its traffic from Domain 0 and all other domains in a firewall 
> application.

I guess you could do the following, where I assume that
eth1 contains your untrusted traffic:

[eth1] <-> [xen-br1] <-> domU firewall <-> [xen-br0] <-> [eth0]
(no IP)                                    (dom0's IP)

This way eth0 is firewalled from external network traffic.
Yes, the packets will travel through dom0 to get to the
domU firewall - but dom0 does not have any IP addresses
before that firewall, so it will be much harder to attack.

-- 
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users