[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Recipe for 'Thin Domain 0' request

On Sun, 3 Apr 2005, William (Andy) Smith wrote:

> I would need to prove the theory that I can isolate the NIC device and 
> its traffic from Domain 0 and all other domains in a firewall 
> application.

I guess you could do the following, where I assume that
eth1 contains your untrusted traffic:

[eth1] <-> [xen-br1] <-> domU firewall <-> [xen-br0] <-> [eth0]
(no IP)                                    (dom0's IP)

This way eth0 is firewalled from external network traffic.
Yes, the packets will travel through dom0 to get to the
domU firewall - but dom0 does not have any IP addresses
before that firewall, so it will be much harder to attack.

"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.