|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Running workstation and firewall on the same hardware
> > Conceptually the simplest would be to have dom0 forward *link level* > > packets to a domU, which can filter them at IP level and then send them > > back to dom0. In this scheme dom0 still receives the packets initially > > but doesn't do anything with them until they've been verified by the > > domU. Link-level attacks on dom0 could compromise the machine but a > > compromise of the domU will not (although your IP traffic is obviously > > untrusted then). > > Maybe I've missed something obvious, but how would you do this? I've never done it myself, so I can't give an exact recipe... Basically you'd want to bridge all packets from the real ethernet onto the vif of the domU and bypass dom0's TCP stack. You should be able to do this by not configuring the bridge as an IP interface. Then create a second VIF to the domU, configure it for IP, and configure dom0's routing to use the IP over the domU as the gateway. The domU would treat it's first vif (the bridged one) as "external" and the second as "internal", even though they're really both serviced through dom0 in some way. I think this is sane from a Linux PoV? (albeit very context-switch heavy from a Xen PoV) Cheers, Mark _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |