-----Original Message-----
From: edoardo@xxxxxxxxxxxxx [mailto:edoardo@xxxxxxxxxxxxx] On Behalf Of
lists@xxxxxxxxxxxxx
Sent: Tuesday, October 21, 2008 12:58
To: Dustin Henning
Subject: Re: [Xen-users] Xen 3.2 Setup advice pretty please
----- "Dustin Henning" <Dustin.Henning@xxxxxxxxxxx> wrote:
> If you are using bridging and the connection to eth0 already supports
> all of these addresses, you should simply assign one address to each
> domU directly. There is an ip= switch for the vif line in PV domUs,
> but I believe it is not for bridging. That said, I think you want to
> remove the aliases and the IPs f9om dom0 and manually configure the
> eth0 in each domU just as you would a normal machine (with an IP,
> netmask, gateway, etc). If the IPs can be used from dom0 and bridging
> is working properly, this should allow them to be used exclusively
> from their respective domUs.
> Dustin
>
> -----Original Message-----
> From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
> [mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Lists
> Sent: Tuesday, October 21, 2008 12:24
> To: xen-users
> Subject: [Xen-users] Xen 3.2 Setup advice pretty please
>
> Hi all,
>
> I have been trying various failing solutions so I turn to the gurus
> for guidance in times of trouble.
>
> I have a Xen 3.2-1 server running on a Debian etch
> (2.6.18-6-xen-vserver-686) in a remote data centre.
> I also have 5 public IPs in different ranges and only one NIC.
>
> What I want to do is simple. Have the applications running on my
> DomUs available to the internet.
>
> Dom0 - Web proxy for routing to the correct Dom(2/3).
> Dom1 - Mail
> Dom2 - Web
> Dom3 - Web
>
> I'd like it as secure as possible.
>
> I tried using IP aliasing on my NIC + bridge but that didn't work.
> I tried nat but I can't seem to get the firewall to work properly.
>
>
> In short:
>
> |-> Dom0
> WAN <---> eth0 <---|-> Dom1
> 91.111.100.50 |-> Dom2
> 100.10.121.30 |-> Dom3
> 98.66.100.125
> 96.130.120.14
> 95.85.140.121
>
>
> If anyone has any advice at all, I'd greatly appreciate it. I'm at a
> loss.
>
> Thanks
> --
> eco
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
Thanks Dustin,
I'll give that a go and report how I do. Does that mean the bridge can support
IPs that are not clustered into one specific range (98.121.150.XXX)?
--
Eco
I believe the bridge is basically a virtual layer 2 switch. As such,
it has no knowledge of layer 3 (IP in this case). That said, and after
re-reading your post, it is worth mentioning that most people feel that running
applications on dom0 is inherently insecure. I don't know what your web proxy
does, but if it reroutes traffic based on subdomains, you should just set the
sudomains to point at the proper domU IPs at your DNS server/service. On the
other hand, if it does something more than that, it should (based on this
security theory) be in a separate domU itself. Finally, also regarding
security, you should probably run a firewall on each domU if you aren't
already, as they will exposed directly to the internet (unless they are behind
a hardware firewall).
Dustin
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|