|
|
|
|
|
|
|
|
|
|
xen-users
[Xen-users] Re: firewalls and Xen
Molle Bestefich wrote:
If you want to get all paranoid and isolate each domU from each other,
go for it. Use the routed method, and have separate firewall rules for
each server.
Where would the router sit?
A domU or in dom0 as per your previous diagram?
In the dom0 case, wouldn't you suddenly get traffic hitting dom0's IP
stack?
That is the downside of using the routed method, all traffic hits dom0's
IP stack. The firewall package "shorewall" supports this configuration,
so you could just make dom0 the firewall instead of a domU. Personally,
I don't like this config, but it would work.
Also, keep in mind that XEN currently doesn't
support more than three network interfaces per domU, so you end up
having to have one firewall for every two domU's.
Ok. I use VLANs to separate the domUs, and since the VLANs terminate
in a virtual interface, I don't suffer from this limitation.
Huh? It's the virtual network interfaces that are limited to 3 per
domU. The dom0 is the only domain that can have more interfaces (real
or virtual).
In my opinion, a better solution is be to install shorewall (or whatever
firewall package you like) on every domU, so it can protect itself.
It does have the advantage that it's easier for each domU to define
it's own rules. But you sort of loose a lot of central management, I
think.
Yep, you have N+1 firewalls to manage, but typically host based
firewalls don't get modified very often. Typically only needed when you
add or change a network service. But it can be a pain.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|