| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Question about using Xen in a periphery firewall/router
On Thursday 20 August 2009 13:33:07 Sanjay Arora wrote:
> Hello All
>
> XEN newbie here.
>
> If I install minimal linux for XEN in dom0 and a periphery firewall in
> domU and other applications in other instances of domU, is it possible
> to restrict/bind the network card to domU having periphery firewall
> and from there forward packets for dom0 or for other domUs?
>
> Is this possible? If so, is it secure? Or does dom0 always have direct
> access to Network Card and needs a separate firewall? And packets will
> always route from dom0 to all domUs ?
>
> What are the issues involved?
>
> With best regards.
> Sanjay.
I actually set up seperate bridges for each network card I have in my
Router/Firewall/Server/....
Then I hook them all into the firewall-domU and only hook the seperate domains
to each bridge depending on where they belong in the network.
The dom0 uses a dummy-device to be connected to one of the bridges and this
works correctly for me.
I do, however, set up all the bridges, apart from the one that dom0 is
connected to, but that is because I haven't figured out how to configure
multiple bridges in the xen-configuration.
As for how secure it is, unless there is some attack-vector that can access
the dom-0 over a bridge that only has the physical network device (no ip) and
the connection to the firewall-domain, this should be quite safe.
In the past 4 years that I've been using this set-up, I have not seen any
evidence of any packets reaching the dom0 other then the ones I allow through
the firewall.
Let me know if you want me to go more in-depth on how I set this up.
HTH,
Joost
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home