WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] LAN configuration?

from [Alan Murrell] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] LAN configuration?
From: Alan Murrell <lists@xxxxxxxxxx>
Date: Sat, 03 Dec 2005 08:18:09 -0800
Delivery-date: Sat, 03 Dec 2005 16:18:04 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <432A098F.4060309@xxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <1126624303.12158.7.camel@xxxxxxxxxxxxxxxxxxxxxxxx> <4327705E.4010105@xxxxxxxxxxxxxxxx> <1126748114.2839.6.camel@xxxxxxxxxxxxxxxxxxxxxxxx> <432A098F.4060309@xxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Hi Marcus


On Wed, 2005-09-14 at 10:35 +1000, Marcus Brown wrote:

> For the LAN interface, hide the NIC from dom0 and export it to the
> Firewall driver domain. For an internal DMZ create a bridge in dom0
> (possibly tied to a dummy interface) without an IP assigned to it
> and export it to the firewall. Any domUs you want your LAN to access
> just need to have this bridge specified in their xen config, and the
> appropriate firewall rules for routing between the LAN and DMZ.

How is a bridge like that exported to the firewall?  I know how to
export a physical device, but not a bridge.  Is it done via a 'vif =
[....]' statement in the firewall domain's configuration script? 

> You could use the Firewall driver domain as a network backend for your
> domUs, but this results in a new vif being issued in the Firewall for
> each domU created, and can cause problems with firewalls like Shorewall.
> Hence my preference for an 'untethered' bridge.

Yeah, I tried doing that (specifying "backend=fw01" in the domU's
config), but since I have LAN and DMZ domUs on the host server, I could
not find a way to specify which vif created on the firewall was to be in
the DMZ and which was to be in the LAN :-(

-Alan

P.S.: Replies to the list as opposed to my personal address are
preferred, as this information may be quite useful for others. :-)



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] i386 domU on amd64 (xen-unstable), Aaron // LT
Next by Date:  Re: [Xen-users] LAN configuration?, Alan Murrell
Previous by Thread:  [Xen-devel] i386 domU on amd64 (xen-unstable), Robin van Leeuwen
Next by Thread:  Re: [Xen-users] LAN configuration?, Alan Murrell
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy