Re: [Xen-users] Question about using Xen in a periphery firewal

On Thu, Aug 20, 2009 at 7:43 PM, Simon Hobson<linux@xxxxxxxxxxxxxxxx> wrote:
> Sanjay Arora wrote:
>> Is this possible? If so, is it secure? Or does dom0 always have direct
>> access to Network Card and needs a separate firewall? And packets will
>> always route from dom0 to all domUs ?
>
> OK, there are two ways to deal with this.


> An alternative is to create more than one bridge in Dom0. The 'outside'
> bridge will have members of the real network card, and the VIF for your
> firewall DomU. Dom0 either has no interface defined on this bridge*, or some
> iptables rules to block all outside traffic. The 'internal' bridge has
> member interfaces for Dom0, your firewall DomU, and all other DomUs. The
> route for packets is then :
>
> real i/f -> ext bridge -> VIF -> DomU (firewall) -> VIF -> int bridge \
>  [ Dom0 | VIF -> DomU ]
>

This is what I use. From security perspective, this is the same as
having an L2 switch (when dom0's bridges have no IP address) or L3
switch (when dom0's bridges have an IP address)

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

Re: [Xen-users] Bootable LiveDVD w/ Xen that boots Windows Image?, Robbie garrett

Next by Date:

Re: [Xen-users] Latest working -xen kernel?, Fajar A. Nugraha

Previous by Thread:

Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario, Simon Hobson

Next by Thread:

Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario, Sanjay Arora

Indexes:

[Date] [Thread] [Top] [All Lists]