|
|
|
|
|
|
|
|
|
|
xen-users
AW: [Xen-users] Firewalling Xen?
i do firewalling in this way:
the external nic is attached to dom0 and does have multiple ip-adresses (which
are on the public internet). the xenbr0 does have the ip-adress 10.0.0.1 and my
domUs are on that 10.0.0.x-Network. All necesary services are firewall'ed in
the dom0 and their necesary ports are forwarded using NAT. so i'm able to run
multiple webservers (each on its own ip and with port 80), a dns-server, a
mailserver and a windows-machine each in a properly firewalled domU. there's
nothing special about that. but please note, that some services might not work
using NATted transfers. this is just a suggestion, please proof me wrong if
there are any.
----- Ursprüngliche Mail ----
Von: Freddie Cash <fjwcash@xxxxxxxxx>
An: xen-users@xxxxxxxxxxxxxxxxxxx
Gesendet: Montag, den 15. Dezember 2008, 22:56:06 Uhr
Betreff: Re: [Xen-users] Firewalling Xen?
On December 15, 2008 1:50 pm Grant McWilliams wrote:
> On Mon, Dec 15, 2008 at 1:05 PM, Dustin Henning
>
> <Dustin.Henning@xxxxxxxxxxx>wrote:
> > In case it is relevant, I simply allow all traffic to traverse
> > the forwarding chain when it is headed to a bridged destination. I
> > then simply run a firewall on dom0 and each domU as if they were all
> > individual machines. This seems to me like the way to go short of
> > doing something more drastic with hardware isolation, but as a lot of
> > people prefer to have much more complex firewall setups, it is
> > certainly likely that at least some of them have good reason.
> > Dustin
>
> Keep in mind that this method means you'll be managing multiple
> firewalls. In my case it would be about 30 firewalls total. By separating
> the internal private network from the real network you can run with one
> firewall. However, having said that you can only forward each outside
> port to one port on one domU. This means if you have multiple web servers
> you can't forward the external port 80 to more than one internal possibly
> making it messy for external clients accessing the virtual machines by
> requiring them to access services on non-standard ports.. In my setup this
> is fine because I only forward one port anyway (ssh) to allow remote
> logins.
You can always use 1:1 NAT between a public IP and a private IP, for each
domU. There's nothing that forces you to use a single IP for the firewalled
interface.
--
Freddie
fjwcash@xxxxxxxxx
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource..com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|