|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Ideal(istic) Xen firewall design
Hi B.
B.G. Bruce wrote:
>>Option C-v2
>>===========
>> Internet
>> |
>> eth1 |
>> ___________________|____________________
>> | __________|__________ |
>> | | Firewall | |
>>Local eth0 =|========| (Shorewall) |=========|= eth2 DMZ (optional)
>> | |___________________| |
>> | eth3| |eth4 |
>> | ______________ | | _______________ |
>> | | Web Server | | | | iPaq Server | |
>> | | (Apache2) | | | | (Bluetooth) |=|= USB Host #1
>> | |____________| | | |_____________| | (for BT Dongle)
>> | eth0 \ | | / eth0 |
>> | _______________\| |/ |
>> | | Mail Server | | | |
>> | | (Courier) | | | |
>> | |_____________| | | |
>> | eth0 \| | |
>> | | | |
>> | br0 | | br1 |
>> | _________|_|_________ |
>> | | | |
>> | | dom0 | |
>> |________|___________________|_________|
>>
>>Here, it is hoped that the bridges will tie the interface names in
>>the Firewall domain, and still allow the domUs to be restarted.
>> DETAILS:
>> - eth0, eth1 and eth2 are physical devices hidden from dom0
>> - USB Host #1 is also hidden from dom0
>> - eth2, eth3, and eth4 are essentially DMZ zones as far
>> far as the Firewall is concerned.
>>
>>This sort of thing had been my original plan, however I've so far been
>>unable to create workable bridges ... I'll keep trying.
>>(ie. How do I create br0 and br1 in dom0 without physical interfaces?)
>>For tighter control it might be an idea to create another vif from
>>the dom0 to the Firewall _just_ for dom0 time updates, etc.
>>
>>
>
>Sorry, haven't had time to follow the thread completely, but I've done
>something similar to your C-V2 (using the dummy driver (dummy0-3). Have
>you thought of/tried this?
>
Thought _and_ tried it without much success.
Mind you that was a week or so ago, and I've learnt more since.
Problems/questions I had included:
- how do I use multiple dummies! (*snicker*)
ie. dummy0 and dummy1
EDIT: scrub that :
modprobe dummy -o dummy0
modprobe dummy -o dummy1
- is there any advantage/reason to try vlan or tun/tap devices?
I understand from various postings that I need to manually create the
extra bridges before bringing up the Firewall domain.
I guess I could do that in a number of ways,
but is there a 'Xen approved' method?
For a bridge that I want dom0 to communicate on, I assign an IP to that
bridge.
However for bridges that dom0 has nothing to do with I should not assign
IPs.
Correct?
If this is the case, why do I need a dummy at all?
So the diagram ends up being like this, maybe????
Option C-v3
===========
Internet
|
eth1
______________________|_______________________
| _____________|_______________ |
| | Firewall | |
Local eth0 =|========| (Shorewall) |=======|= eth2 DMZ (optional)
| |___________________________| |
| eth4 | eth5 |
| ______________ | eth3 | _______________ |
| | Web Server | | | | | iPaq Server | |
| | (Apache2) | | | | | (Bluetooth) |=|= USB Host #1
| |____________| | | | |_____________| | (for BT Dongle)
| eth0 \ | | | / eth0 |
| _______________\| | |/ |
| | Mail Server | | | | |
| | (Courier) | | | | |
| |_____________| | | | |
| eth0 \| | | |
| | | | |
| br1 | br2 |
| ! br0 ! |
| _____________|_____________ |
| | | |
| | dom0 | |
|________|_________________________|_________|
Thanks for the hint, I was just compiling vlan support into dom0 when
your message arrived, so you've probably saved me from wandering
further into a pointless excercise! :)
I'll start playing with dummies instead! lol
Better have a coffee first, in case I spit ... I'll quit now :)
Marcus.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |