WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Firewall in a guest domain?

from [Mike Hoesing] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Firewall in a guest domain?
From: Mike Hoesing <m-hoesing@xxxxxxx>
Date: Tue, 19 Jul 2005 19:05:31 -0500
Delivery-date: Wed, 20 Jul 2005 00:03:18 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <200507200038.11146.mark.williamson@xxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <15907.63.95.64.254.1121792062.squirrel@xxxxxxxxxxxx> <200507191817.37628.mark.williamson@xxxxxxxxxxxx> <62372.63.95.64.254.1121811417.squirrel@xxxxxxxxxxxx> <200507200038.11146.mark.williamson@xxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Anyone want to share a step-by-step howto for approach 4 below?



On Wed, 2005-07-20 at 00:38 +0100, Mark Williamson wrote:
> > I guess what I am asking is if I can install for instance IPCop on domain3
> > and have it protect domains 0-9 or if I need to as you say run IPTables on
> > domain0 to restrict the guests... can I filter all traffice through dom3
> > or am I required to filter it through dom0 if I want any kind of
> > filtering?
> 
> Ah well...
> 
> Here are some (not all) possible configurations, in increasing order of 
> complexity and theoretical security:
> 
> * Basic system, no firewalling, as the default.
> * Add IPTables rules in dom0 to protect itself from the guests and outside 
> world, and protect and regulate the guests.
> * Add IPTables in the domUs to protect themselves.  This could be at the 
> discretion of the users.
> * Dedicate a physical device to a "firewall domain" and have it filter on 
> that 
> interface for all the other domains.
> 
> The last seems closest to what you're proposing, there are a few people doing 
> this with success, although it's not as user friendly as it could be.
> 
> A workaround to assigning devices would be to bridge the ethernet device into 
> a guest, then have it filter at the IP (and above) level before delivering to 
> the other domains.  This would probably be a bit fiddly to set up but I think 
> people have done this too.
> 
> Cheers,
> Mark
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
-- 
Mike Hoesing <m-hoesing@xxxxxxx>


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Domain0 memory requirements?, John Fairbairn
Next by Date:  Re: [Xen-users] Firewall in a guest domain?, sten
Previous by Thread:  Re: [Xen-users] Firewall in a guest domain?, Mark Williamson
Next by Thread:  Re: [Xen-users] Firewall in a guest domain?, sten
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy