Hi,
I've seen You have already the answers for Your questions... I have
one little bit off topic remark to the mentioned proposed network topology -
I think it is better to have no public addresses at all defined on Your
servers and define only the rules for the forwarding on the service-level on
Your firewall/routing system - TCP/UDP packets incoming to specific ports of
the virtually assigned public IP addresses of Your firewall/router system,
are then being forwarded to the internal private IP addresses. So only your
firewall, which also virtually serves all such public addresses, knows from
which public address has to be which service forwarded to which internal
server with the private IP...
I find this configuration the safest way, securing You from Your mistakes in
the firewall configuration as well as from the mistakes in the configuration
of the servers itself...
And even if somebody can bring Your firewall to some error, which would
cause there would be released all blocking packet rules and the firewall
lets go "through" whole traffic from outside, without redefining the
forwarding on the firewall Your servers cannot be hacked in other way as
over the published and allowed services which You can possibly better secure
than other services, which are obviously used for internal management of the
servers, maintenance data transfers, etc.
Sure, sometimes it is not possible, especially if You have to work with
other protocols like TCP, UDP and ICMP, but in 95-99% of cases all obvious
services run over the given 3 Protocols.
With best regards
Archie
-----Original Message-----
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Marcin Owsiany
Sent: Sunday, August 19, 2007 3:44 PM
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Networking with DomU(s) with public statis IPs
On Sun, Aug 19, 2007 at 01:08:48PM +0200, Jordi Espasa Clofent wrote:
> Hi folks,
>
> Let's suppose next net/xen topology
>
> ---------
> | Router |
> ----------
> |
> |
> -------------------
> | Dom0 |
> -------------------
> | |
> | | ----------------------------
> | ------------| DomU with static public IP |
> | -----------------------------
> | ----------------------------
> ------------| DomU with static public IP |
> -----------------------------
This is just one way to do things.
Make sure you read http://wiki.xensource.com/xenwiki/XenNetworking
> And other domU with their own static public IP every one.
>
> My doubts are:
>
> * ¿Is it needed a public static IP also for dom0?
If your Dom0 acts as a router, then yes. If you use bridging, then no.
> * When a connection petition (a web page, for example) arives from
> router tu dom0 ¿how does know dom0 what is the correct domU to redirect
> the petition?
If you use bridging, then the bridge (inside dom0) just forwards frames
to domUs. If you use routing, then it's just a simple routing decision.
> I don't know how this scenario should be configured. If there is any
> tuto or manual which explain it I will be very grateful.
Depends on your need really, there are several ways. Make sure you read
the material on the wiki, also googling for 'xen networking' will be
useful.
--
Marcin Owsiany <marcin@xxxxxxxxxx> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
"Every program in development at MIT expands until it can read mail."
-- Unknown
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
__________ Informace od NOD32 2469 (20070818) __________
Tato zprava byla proverena antivirovym systemem NOD32.
http://www.nod32.cz
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|