[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario

  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
  • Date: Thu, 20 Aug 2009 21:45:14 +0700
  • Delivery-date: Thu, 20 Aug 2009 07:46:08 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

On Thu, Aug 20, 2009 at 7:43 PM, Simon Hobson<linux@xxxxxxxxxxxxxxxx> wrote:
> Sanjay Arora wrote:
>> Is this possible? If so, is it secure? Or does dom0 always have direct
>> access to Network Card and needs a separate firewall? And packets will
>> always route from dom0 to all domUs ?
> OK, there are two ways to deal with this.

> An alternative is to create more than one bridge in Dom0. The 'outside'
> bridge will have members of the real network card, and the VIF for your
> firewall DomU. Dom0 either has no interface defined on this bridge*, or some
> iptables rules to block all outside traffic. The 'internal' bridge has
> member interfaces for Dom0, your firewall DomU, and all other DomUs. The
> route for packets is then :
> real i/f -> ext bridge -> VIF -> DomU (firewall) -> VIF -> int bridge \
>  [ Dom0 | VIF -> DomU ]

This is what I use. From security perspective, this is the same as
having an L2 switch (when dom0's bridges have no IP address) or L3
switch (when dom0's bridges have an IP address)


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.