|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Xen networking concepts
On Tue, 2005-12-20 at 23:32 +0100, Renà Pfeiffer wrote: > On Dec 20, 2005 at 1130 -0500, John A. Sullivan III appeared and said: > > > > Fernando made a really important point that I hope didn't slip by. Your > > original e-mail described binding an external IP address to Dom0. I > > would recommend never doing such a thing. If someone compromises dom0, > > they have everything. > > Yes, I didn't miss that point. > > > [...] > > We heavily shield dom0 with no IP addresses bound to the public > > interface and pass all external traffic through the firewall as you > > proposed. > > That's what I have in mind. The problem with the setup is the fact that > the server is "heavily colocated", so we probably have to assign Dom0 an > external IP address for system administration. I proposed to my > colleagues to use a second IP address for the firewall and make the > access to Dom0 VPN-only in addition to limiting packets from selected > networks only. > > Thanks for your insights! > > Best, > Lynx. > Why do you need a second IP address (unless I missed something). To eliminate the need to publicly expose the dom0 even in colocation scenarios, we typically assign dom0 a private address only and access it via VPN. Thus one only needs a public IP address for the VPN gateway - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx Financially sustainable open source development http://www.opensourcedevel.com _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |