WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Best practice for firewall in domU

To: Xen Users <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-users] Best practice for firewall in domU
From: Darrin Wortlehock <darrin@xxxxxxxxxxxxx>
Date: Mon, 2 Oct 2006 19:09:12 +0100
Delivery-date: Mon, 02 Oct 2006 11:10:02 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Sorry if this has been discussed before, but I am having trouble finding a definite answer...

I am setting up a co-located server with a single nic and 2 IP's. I believe I want to run a firewall in the first domU (consuming 1 IP address), a web-serving domU with 2 network interfaces (other public IPs as DMZ and private network) and several other domU's with only private network interfaces (running app + db servers) . I want to bridge the private network to a tun/tap openvpn server in the firewall domU. Dom0 should probably be connected to the management interface. This all seems doable in Xen with the current version.

I can successfully use pciback to hide the ethernet adapter from dom0 and configure it in the firewall domU. Is this considered a best practice? If so, how do I bridge/route the other IP to the second domU?

I am currently assuming I would want two bridges defined in the dom0, one for the public IP's and one for the private network. If this is the case, how should I go about creating the bridges in a dom0 that has no ethernet adapter? The private network's bridge would want to be accessible from dom0, the DMZ bridge definitely not.

Any thoughts would be greatly appreciated.

Darrin.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>