Re: [Xen-users] Running workstation and firewall on the same har

> > Conceptually the simplest would be to have dom0 forward *link level*
> > packets to a domU, which can filter them at IP level and then send them
> > back to dom0. In this scheme dom0 still receives the packets initially
> > but doesn't do anything with them until they've been verified by the
> > domU.  Link-level attacks on dom0 could compromise the machine but a
> > compromise of the domU will not (although your IP traffic is obviously
> > untrusted then).
>
> Maybe I've missed something obvious, but how would you do this?

I've never done it myself, so I can't give an exact recipe...

Basically you'd want to bridge all packets from the real ethernet onto the vif 
of the domU and bypass dom0's TCP stack.  You should be able to do this by 
not configuring the bridge as an IP interface.  Then create a second VIF to 
the domU, configure it for IP, and configure dom0's routing to use the IP 
over the domU as the gateway.

The domU would treat it's first vif (the bridged one) as "external" and the 
second as "internal", even though they're really both serviced through dom0 
in some way.

I think this is sane from a Linux PoV?  (albeit very context-switch heavy from 
a Xen PoV)

Cheers,
Mark

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

Re: [Xen-users] Running workstation and firewall on the same hardware, Carl Holtje ;021;vcsg6;

Next by Date:

[Xen-users] testing a domU config without starting it, Alan Greenspan

Previous by Thread:

Re: [Xen-users] Running workstation and firewall on the same hardware, Carl Holtje ;021;vcsg6;

Next by Thread:

Re: [Xen-users] Running workstation and firewall on the same hardware, Michal Ludvig

Indexes:

[Date] [Thread] [Top] [All Lists]