|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Firewall in a guest domain?
> I guess what I am asking is if I can install for instance IPCop on domain3 > and have it protect domains 0-9 or if I need to as you say run IPTables on > domain0 to restrict the guests... can I filter all traffice through dom3 > or am I required to filter it through dom0 if I want any kind of > filtering? Ah well... Here are some (not all) possible configurations, in increasing order of complexity and theoretical security: * Basic system, no firewalling, as the default. * Add IPTables rules in dom0 to protect itself from the guests and outside world, and protect and regulate the guests. * Add IPTables in the domUs to protect themselves. This could be at the discretion of the users. * Dedicate a physical device to a "firewall domain" and have it filter on that interface for all the other domains. The last seems closest to what you're proposing, there are a few people doing this with success, although it's not as user friendly as it could be. A workaround to assigning devices would be to bridge the ethernet device into a guest, then have it filter at the IP (and above) level before delivering to the other domains. This would probably be a bit fiddly to set up but I think people have done this too. Cheers, Mark _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |