Re: [Xen-users] Bridge vs. Route configuration?

[NAHieu <nahieu@xxxxxxxxx>]

I got few explains on the pros and cons of bridge and route
method.Thank you for all the helps.

So generally I understand that on of the major differences between
these approaches is that Bridge method works at layer 2, while Route
method works at layer 3 (OSI).

Another question is: if I want to make a firewall to protect DomUs, then:
- Any tools readily vailable for Bridge config?
- Any tools readily available for Route config?

Any pointer to documentation/example would be appreciated.

Many thanks.
H



-
On 6/10/06, Eric Windisch <lists@xxxxxxxxxx> wrote:
> > In Xen, by default the domains are configured to use bridge (with
> > network-bridge script). But there is network-route, and this option
> > also allows us to connect domains.
> >
> > But I don't see what is the advantage of Route config over Bridge. In
> > which case we should use Route method instead?
>
> Bridging is perfectly fine in many cases, but when you have untrusted
> DomU, routing can be preferable.
>
> Routing establishes a healthy level of distrust to your network stack.
>
> - Do trust dom01 to not assign itself IPs assigned to dom02 ?
> - Do I want a firewall between dom01 and dom02 ?
> - Do I want dom01's web access sent to a transparent proxy, but not
> dom02's web access?
>
> These are questions that can be solved by routing.   Finally, I should
> note that  bridges aren't completely lost in terms of security, ebtables
> is far from useless, but it isn't as flexible as routing.
>
> --
> Eric Windisch
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users