RE: [Xen-users] Ideal(istic) Xen firewall design

["Mike Tierney" <miket@xxxxxxxxxxxxxxxx>]

> Marcus Brown wrote:
> Hi Dirk,
> 
> Dirk H. Schulz wrote:
> > Hi Marcus,
> > 
> > thanks for so much info!
> > 
> > Just a short question before I start digging into your 
> configs: What 
> > do you gain by running the firewall inside a privileged 
> guest system 
> > instead of inside dom0?
> > 
> 
> It's modular, restartable, replaceable, ...
> (ie. I can reboot the firewall without rebooting all the 
> domUs) errr oh, and someone gaining root access to the 
> firewall won't be able to play with xend, or the filesystems 
> of the domUs.
> 
> I'm sure there are other good reasons :)

Yep, like if you are consolidating an existing "bunch" of servers you can
(probably) keep your current set of firewall rules that your current
physical firewall uses.

I'm currently looking at using Xen to consolidate our firewall, front end
(mail, dns, proxy), application & file servers all into the one box (3 of
those sit 98% idle.....). The complex firewall rules (5 diff zones) are
built with fwbuilder (www.fwbuilder.org) and so I can probably just rename
the ethernet devices and hit "compile" to generate the iptables rules for
the new Xen firewall. Hopefully this thread has given me enough info to
handle all the bridging! :)

But it is still tempting to just do away with the seperate firewall vm and
do all the firewalling in Dom0!
 
> I've got all my domains (except dom0) on lvm+raid so 
> snapshotting is a great way of testing and making backups.
> 
> This is just the start, though ... more ideas being worked on atm.
> 
> Marcus.
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
> 


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users