| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
[Xen-users] PV DomU kernel 2.4(.34) for IPCop
Hi everyone,
I am currently in the process of setting up a firewall/access point
DomU and I would like to know if there is any way to run a linux
kernel 2.4(.34) based system as a DomU. The primary reason for this
is that I want to run IPCop on such a kernel, but also that I
consider kernel 2.4 based systems to be more suitable for some
applications, especially for use as a firewall.
The main problem is, that I can't run it in a HVM, since the setup I
plan to use involves passing all the necessary PCI NICs to the DomU
and my current CPU (AMD X2 e series on an AMD 780g chip-set) does not
support VT-d, making PCI passthrough to a HVM impossible (according
to my research at least). Using network bridges is also out of the
question, since I do not want the Dom0 to be aware of those devices
(or at least nothing but pciback in Dom0) and the network traffic to
and from the other DomU's should be handled by dummy interfaces only
(whereby I still have to figure out how to isolate Dom0 from those
access-wise but still let them have access to the DomU's). A future
expansion of the system also includes a PCI Wifi NIC that has to be
passed to the DomU to be able to configure HostAP with the firewalls
web interface and isolate it from Dom0. The Dom0 itself does not need
an internet connection and should only be accessible using a special
dedicated DomU via network (that does not use any of the other
services) or via physical access.
I also looked into the possibilities of using another firewall
distribution, but the best one I could come up with is the Endian
Firewall. It is based on kernel 2.6 and seems to work with Xen, but
the community release is lacking some of the features I do not want
to miss, like RADIUS integration (for use with a LDAP server DomU
mainly, though that one is not running just yet) and Captive Portal
(for easy access for neighbors and friends).
So my question now is: Does anyone know a way to make IPCop use
kernel 2.6 or preferably how to run a kernel 2.4 paravirtualized
system on Xen 3.2? Has anyone tried something like this before and
can maybe share his experiences?
Thanks,
Paul.
P.S.: I know, this setup sounds kind of paranoid, isolating Dom0 that
much and I might hit a wall somewhere because certain things are not
possible yet (thats actually one of the points of this experiment, to
see what Xen can do). I also realize it is pointless unless I use a
system with IOMMU in a PCI passthrough setup (ultimately enabling PCI
Passthrough to HVM), but for me it is more like a proof of concept,
than a security concern for the machine in question and I prefer to
run Linux on Xen paravirtualized anyway. If anyone has some thoughts
on this, he or she would like to share, I am always thankful for
advise or another point of view.
--
Paul Schulze
avlex@xxxxxxx
Public Key: http://solaris-net.dyndns.org/keys/key_avlex.asc
"Making mistakes is human,
but to really fuck things up you need Computers"
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Xen-users] PV DomU kernel 2.4(.34) for IPCop,
Paul Schulze <=
|
|
|
| |
|
Home