WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] Xen 3.2 Setup advice pretty please

To: "'xen-users'" <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Xen 3.2 Setup advice pretty please
From: "Dustin Henning" <Dustin.Henning@xxxxxxxxxxx>
Date: Tue, 21 Oct 2008 13:08:17 -0400
Delivery-date: Tue, 21 Oct 2008 10:09:06 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <13810515.91224608252417.JavaMail.root@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Organization: PRD, Inc.
References: <23465250.71224608120385.JavaMail.root@xxxxxxxxxxxxxxxxxx> <13810515.91224608252417.JavaMail.root@xxxxxxxxxxxxxxxxxx>
Reply-to: Dustin.Henning@xxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Ackznh9QKB/Qp0XbRg6QbZJjOuRlQwAADMZA
-----Original Message-----
From: edoardo@xxxxxxxxxxxxx [mailto:edoardo@xxxxxxxxxxxxx] On Behalf Of 
lists@xxxxxxxxxxxxx
Sent: Tuesday, October 21, 2008 12:58
To: Dustin Henning
Subject: Re: [Xen-users] Xen 3.2 Setup advice pretty please

----- "Dustin Henning" <Dustin.Henning@xxxxxxxxxxx> wrote:

> If you are using bridging and the connection to eth0 already supports
> all of these addresses, you should simply assign one address to each
> domU directly.  There is an ip= switch for the vif line in PV domUs,
> but I believe it is not for bridging.  That said, I think you want to
> remove the aliases and the IPs f9om dom0 and manually configure the
> eth0 in each domU just as you would a normal machine (with an IP,
> netmask, gateway, etc).  If the IPs can be used from dom0 and bridging
> is working properly, this should allow them to be used exclusively
> from their respective domUs.
>       Dustin 
> 
> -----Original Message-----
> From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
> [mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Lists
> Sent: Tuesday, October 21, 2008 12:24
> To: xen-users
> Subject: [Xen-users] Xen 3.2 Setup advice pretty please
> 
> Hi all,
> 
> I have been trying various failing solutions so I turn to the gurus
> for guidance in times of trouble.
> 
> I have a Xen 3.2-1 server running on a Debian etch
> (2.6.18-6-xen-vserver-686) in a remote data centre.
> I also have 5 public IPs in different ranges and only one NIC.
> 
> What I want to do is simple.  Have the applications running on my
> DomUs available to the internet.
> 
> Dom0 - Web proxy for routing to the correct Dom(2/3).
> Dom1 - Mail
> Dom2 - Web
> Dom3 - Web
> 
> I'd like it as secure as possible.
> 
> I tried using IP aliasing on my NIC + bridge but that didn't work.
> I tried nat but I can't seem to get the firewall to work properly.
> 
> 
> In short:
> 
>                        |-> Dom0
> WAN <--->   eth0   <---|-> Dom1
>         91.111.100.50  |-> Dom2
>         100.10.121.30  |-> Dom3
>         98.66.100.125
>         96.130.120.14
>         95.85.140.121
> 
> 
> If anyone has any advice at all, I'd greatly appreciate it.  I'm at a
> loss.
> 
> Thanks
> --
> eco
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
> 
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

Thanks Dustin,

I'll give that a go and report how I do.  Does that mean the bridge can support 
IPs that are not clustered into one specific range (98.121.150.XXX)?

--
Eco

        I believe the bridge is basically a virtual layer 2 switch.  As such, 
it has no knowledge of layer 3 (IP in this case).  That said, and after 
re-reading your post, it is worth mentioning that most people feel that running 
applications on dom0 is inherently insecure.  I don't know what your web proxy 
does, but if it reroutes traffic based on subdomains, you should just set the 
sudomains to point at the proper domU IPs at your DNS server/service.  On the 
other hand, if it does something more than that, it should (based on this 
security theory) be in a separate domU itself.  Finally, also regarding 
security, you should probably run a firewall on each domU if you aren't 
already, as they will exposed directly to the internet (unless they are behind 
a hardware firewall).
        Dustin



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>