[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Ideal(istic) Xen firewall design

Hi Markus,

Marcus Brown schrieb:

Hi Dirk,

Dirk H. Schulz wrote:
Hi Marcus,

thanks for so much info!

Just a short question before I start digging into your configs: What do
you gain by running the firewall inside a privileged guest system
instead of inside dom0?

It's modular, restartable, replaceable, ...
(ie. I can reboot the firewall without rebooting all the domUs)
That is a very good reason. I did not think of that, I have to admit.

oh, and someone gaining root access to the firewall won't be able to
play with xend, or the filesystems of the domUs.
Oh, err, shouldn't it be more difficult to get root access to the firewall than to the other systems? That's one thing firewalls are for, aren't they? :-)

I'm sure there are other good reasons :)
Yes, there are. This way one could have two firewalls to hide the domU network behind and a vpn server inbetween just for training (setting up vpn with dynamic routing, e.g.). Lots to play with on rainy weekends. :-) One could even setup complex OSPF scenarios just for testing. I start loving this concept ...


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.