|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] Question about using Xen in a periphery firewall/router
Sanjay Arora wrote:
XEN newbie here.
We all started there - I'm not much further on !
If I install minimal linux for XEN in dom0 and a periphery firewall in
domU and other applications in other instances of domU, is it possible
to restrict/bind the network card to domU having periphery firewall
and from there forward packets for dom0 or for other domUs?
Is this possible? If so, is it secure? Or does dom0 always have direct
access to Network Card and needs a separate firewall? And packets will
always route from dom0 to all domUs ?
OK, there are two ways to deal with this.
The approach I've used at home is to hide a network card from Dom0
(see pic-back.hide) and pass it through to a DomU which then sees it
as a native interface. I then run a firewall in the DomU and the
outside traffic does NOT go through Dom0. The route for packets is
then :
real i/f -> DomU (firewall) -> VIF -> int bridge [ Dom0 | VIF -> DomU ]
An alternative is to create more than one bridge in Dom0. The
'outside' bridge will have members of the real network card, and the
VIF for your firewall DomU. Dom0 either has no interface defined on
this bridge*, or some iptables rules to block all outside traffic.
The 'internal' bridge has member interfaces for Dom0, your firewall
DomU, and all other DomUs. The route for packets is then :
real i/f -> ext bridge -> VIF -> DomU (firewall) -> VIF -> int bridge \
[ Dom0 | VIF -> DomU ]
* Personally, I've never got the bridge to work this way.
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|