| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Remote management of DomU
On Fri, 2005-12-23 at 08:55 +0100, Goetz Bock wrote:
> On Wed, Dec 21 '05 at 07:19, Alan Murrell wrote:
<snip>
>
> You can always give the bridge interface an IP, than you can use it from
> Dom0 like if it was a regular interface.
>
> I'm currently running a Xen3 amd64 server with three bridges:
>
> - xenbr0: with the real eth0, and a vif from a firewall domU
> - privbr: one vif from the firewall, and vifs from some domU. All
> interfaces on this bridge use 192.168.x.y IPs. this one also
> has an IP on it's own, so the Dom0 can be accessed
> - pubbr: one vif form the firewall, vifs from some domUs all with public
> IPs.
>
> The firewall is doing routing between xenbr0 and pubbr. I'm also runnign
> a VPN domU that allows me to access the network on privbr.
>
> Works fine so far.
Just as a suggestion, I always cringe to put any device other than a
firewall directly on the Internet with public IPs especially a domU just
in case someone, somewhere, someday figures out how to crack into the
other domUs or dom0 from a compromised domU.
I would generally put the public servers on yet one more bridge as a DMZ
with private addresses and protect them via the firewall so that only
needed services are allowed - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@xxxxxxxxxxxxxxxxxxx
If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home