|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] Firewall in a guest domain?
Anyone want to share a step-by-step howto for approach 4 below?
On Wed, 2005-07-20 at 00:38 +0100, Mark Williamson wrote:
> > I guess what I am asking is if I can install for instance IPCop on domain3
> > and have it protect domains 0-9 or if I need to as you say run IPTables on
> > domain0 to restrict the guests... can I filter all traffice through dom3
> > or am I required to filter it through dom0 if I want any kind of
> > filtering?
>
> Ah well...
>
> Here are some (not all) possible configurations, in increasing order of
> complexity and theoretical security:
>
> * Basic system, no firewalling, as the default.
> * Add IPTables rules in dom0 to protect itself from the guests and outside
> world, and protect and regulate the guests.
> * Add IPTables in the domUs to protect themselves. This could be at the
> discretion of the users.
> * Dedicate a physical device to a "firewall domain" and have it filter on
> that
> interface for all the other domains.
>
> The last seems closest to what you're proposing, there are a few people doing
> this with success, although it's not as user friendly as it could be.
>
> A workaround to assigning devices would be to bridge the ethernet device into
> a guest, then have it filter at the IP (and above) level before delivering to
> the other domains. This would probably be a bit fiddly to set up but I think
> people have done this too.
>
> Cheers,
> Mark
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
--
Mike Hoesing <m-hoesing@xxxxxxx>
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|