WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Recipe for 'Thin Domain 0' request

To: romaq@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Recipe for 'Thin Domain 0' request
From: Tupshin Harper <tupshin@xxxxxxxxxxx>
Date: Sun, 03 Apr 2005 18:07:43 -0700
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 04 Apr 2005 01:07:48 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <E1DIDuk-0004av-TO@host-192-168-0-1-bcn-london>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <E1DIDuk-0004av-TO@host-192-168-0-1-bcn-london>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Debian Thunderbird 1.0 (X11/20050116)
William (Andy) Smith wrote:

One particularly nasty thought is to have Host 1 and Host 2 each serve
'firewall' guest domains. We have one routing IP outside of our 'public' IP
network, and our provider will allow us a second routing IP. I would need to
prove the theory that I can isolate the NIC device and its traffic from
Domain 0 and all other domains in a firewall application.
I can attest that this works quite well. I have a domU acting as a router/firewall, and aside from having to hack the bridging script to support 3 nics, it worked without a problem.

The machine has 3 nics (internet, dmz, internal), and the dom0 boots up with an IP address only on the internal nic (eth1, eth2, xen-br1, and xen-br2 are all "up", but with no address assigned. The router domU is given access to all 3 nics:
nics=3
vif = [ 'mac=cc:cc:cc:cc:cc:19, bridge=xen-br0', 'mac=cc:cc:cc:cc:cc:20, bridge=xen-br1', 'mac=cc:cc:cc:cc:cc:21, bridge=xen-br2' ] while all the other domU's are only given access to the dmz nic. The router domU then runs pppoe (for DSL), and standard iptables natting and routing using the shorewall package, though any iptables based routing approach should work fine.

This has been working quite stably for me for a while, starting with xen 2.0.4, then 2.0.5, and right now, unstable 3.0 as of a week or so ago.

Let me know (on or off list) if you have any questions about this setup.

-Tupshin

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>