| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Firewalling Xen?
On December 15, 2008 1:50 pm Grant McWilliams wrote:
> On Mon, Dec 15, 2008 at 1:05 PM, Dustin Henning
>
> <Dustin.Henning@xxxxxxxxxxx>wrote:
> > In case it is relevant, I simply allow all traffic to traverse
> > the forwarding chain when it is headed to a bridged destination. I
> > then simply run a firewall on dom0 and each domU as if they were all
> > individual machines. This seems to me like the way to go short of
> > doing something more drastic with hardware isolation, but as a lot of
> > people prefer to have much more complex firewall setups, it is
> > certainly likely that at least some of them have good reason.
> > Dustin
>
> Keep in mind that this method means you'll be managing multiple
> firewalls. In my case it would be about 30 firewalls total. By separating
> the internal private network from the real network you can run with one
> firewall. However, having said that you can only forward each outside
> port to one port on one domU. This means if you have multiple web servers
> you can't forward the external port 80 to more than one internal possibly
> making it messy for external clients accessing the virtual machines by
> requiring them to access services on non-standard ports. In my setup this
> is fine because I only forward one port anyway (ssh) to allow remote
> logins.
You can always use 1:1 NAT between a public IP and a private IP, for each
domU. There's nothing that forces you to use a single IP for the firewalled
interface.
--
Freddie
fjwcash@xxxxxxxxx
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home