[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Running workstation and firewall on the same hardware

> > Conceptually the simplest would be to have dom0 forward *link level*
> > packets to a domU, which can filter them at IP level and then send them
> > back to dom0. In this scheme dom0 still receives the packets initially
> > but doesn't do anything with them until they've been verified by the
> > domU.  Link-level attacks on dom0 could compromise the machine but a
> > compromise of the domU will not (although your IP traffic is obviously
> > untrusted then).
> Maybe I've missed something obvious, but how would you do this?

I've never done it myself, so I can't give an exact recipe...

Basically you'd want to bridge all packets from the real ethernet onto the vif 
of the domU and bypass dom0's TCP stack.  You should be able to do this by 
not configuring the bridge as an IP interface.  Then create a second VIF to 
the domU, configure it for IP, and configure dom0's routing to use the IP 
over the domU as the gateway.

The domU would treat it's first vif (the bridged one) as "external" and the 
second as "internal", even though they're really both serviced through dom0 
in some way.

I think this is sane from a Linux PoV?  (albeit very context-switch heavy from 
a Xen PoV)


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.