Re: [Xen-users] Remote management of DomU

[Goetz Bock <bock@xxxxxxxxxxx>]

On Wed, Dec 21 '05 at 07:19, Alan Murrell wrote:
> > A quick thought is to do it via VPN.  Expose the Dom0 to the internal
> > network but use iptables to restrict virtually all traffic to the Dom0
> > and then allow only ssh coming off of an IPSec tunnel to be allowed to
> > go from the firewall to the Dom0 - John
> 
> If Dom0 doesn't have a physical interface, how would I expose it to the 
> internal network?  Or are you suggesting I should add a 4th NIC?
Without going back into the archive, but I think onone has come up with
it:

You can always give the bridge interface an IP, than you can use it from
Dom0 like if it was a regular interface.

I'm currently running a Xen3 amd64 server with three bridges:

- xenbr0: with the real eth0, and a vif from a firewall domU
- privbr: one vif from the firewall, and vifs from some domU. All
          interfaces on this bridge use 192.168.x.y IPs. this one also
          has an IP on it's own, so the Dom0 can be accessed
- pubbr: one vif form the firewall, vifs from some domUs all with public
         IPs. 

The firewall is doing routing between xenbr0 and pubbr. I'm also runnign
a VPN domU that allows me to access the network on privbr.

Works fine so far.
-- 
/"\ Goetz Bock at blacknet dot de  --  secure mobile Linux everNETting
\ /       (c) 2005 Creative Commons, Attribution-ShareAlike 2.0 de
 X   [ 1. Use descriptive subjects - 2. Edit a reply for brevity -  ]
/ \  [ 3. Reply to the list - 4. Read the archive *before* you post ]

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users