|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Bridging firewall?
> > For the comments below I assume you are using Linux as your firewall OS. > That's right ... > > Not sure see my setup: > > i've two cards in dom0 :eth0 and eth1, eth1 is linked to my xdsl > > modem, eth0 to a switch for other physical machines, eth0 is also > > shared with other xenU domains (thoses who are consciderated to be > > after the firewall). br0 encapsulate eth0, one of the virtual network > > card of my firewall (the one consciderated filtred) and other xenU > > virtual network card br1 encapsulate eth1 and the other virtual > network card > So in a sense you've put your virtual servers on the same network as > some of your internal machines. > Yes, that's right but is it a problem ? >From a simple user point of view the virtual server which are after the firewall should another server. > > My basic idea was not to configure eth1 at all, i thought that if the > > interface is not activated there is no chance of attacking xen0. > > It tunrns that in order to have the packet directed to > > xenFirewall-input, i must do if config eth1 up. > > I've been thinking that the following similar method is possible, without > resorting to giving physical device access to a domU. > > Basically the same as above, except I'll just have a virtual eth1. > > Put dom0 and a virtual NIC for the firewall (domU1-eth0 say) on br0/eth0. > Put domU1-veth1, and all the other domUs on br, and all the other domUs > on br1. Then setup domU1 as a bridging firewall. Admin domU1, either via > the console from dom0 or setup a third private internal accessible from > dom0 or a management VPN. > > Quite complicated ? it seems that you 're relying on the fact your inbound traffic will go to the eth0 trought you're firewall (trough dom1 in fact). I'm quite afraid about the fact that some packet cleverly forged can go trough dom0 without going trough dom1. > > So there are three bridges. Not sure how well it would perform, or > whether the net/freebsd virtual NIC drives can hande this scenario. It > seems workable though. > Pf+altq, are by far much nicer than iptables. Not an expert in freebsd, better be sure than experimenting when talking about security. ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |