|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Firewall in a guest domain?
Anyone want to share a step-by-step howto for approach 4 below? On Wed, 2005-07-20 at 00:38 +0100, Mark Williamson wrote: > > I guess what I am asking is if I can install for instance IPCop on domain3 > > and have it protect domains 0-9 or if I need to as you say run IPTables on > > domain0 to restrict the guests... can I filter all traffice through dom3 > > or am I required to filter it through dom0 if I want any kind of > > filtering? > > Ah well... > > Here are some (not all) possible configurations, in increasing order of > complexity and theoretical security: > > * Basic system, no firewalling, as the default. > * Add IPTables rules in dom0 to protect itself from the guests and outside > world, and protect and regulate the guests. > * Add IPTables in the domUs to protect themselves. This could be at the > discretion of the users. > * Dedicate a physical device to a "firewall domain" and have it filter on > that > interface for all the other domains. > > The last seems closest to what you're proposing, there are a few people doing > this with success, although it's not as user friendly as it could be. > > A workaround to assigning devices would be to bridge the ethernet device into > a guest, then have it filter at the IP (and above) level before delivering to > the other domains. This would probably be a bit fiddly to set up but I think > people have done this too. > > Cheers, > Mark > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users -- Mike Hoesing <m-hoesing@xxxxxxx> _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |