[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] Networking with DomU(s) with public statis IPs



Hi, 

        I've seen You have already the answers for Your questions... I have
one little bit off topic remark to the mentioned proposed network topology -
I think it is better to have no public addresses at all defined on Your
servers and define only the rules for the forwarding on the service-level on
Your firewall/routing system - TCP/UDP packets incoming to specific ports of
the virtually assigned public IP addresses of Your firewall/router system,
are then being forwarded to the internal private IP addresses. So only your
firewall, which also virtually serves all such public addresses, knows from
which public address has to be which service forwarded to which internal
server with the private IP... 
I find this configuration the safest way, securing You from Your mistakes in
the firewall configuration as well as from the mistakes in the configuration
of the servers itself... 
And even if somebody can bring Your firewall to some error, which would
cause there would be released all blocking packet rules and the firewall
lets go "through" whole traffic from outside, without redefining the
forwarding on the firewall Your servers cannot be hacked in other way as
over the published and allowed services which You can possibly better secure
than other services, which are obviously used for internal management of the
servers, maintenance data transfers, etc.
Sure, sometimes it is not possible, especially if You have to work with
other protocols like TCP, UDP and ICMP, but in 95-99% of cases all obvious
services run over the given 3 Protocols.

        With best regards

                Archie

-----Original Message-----
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Marcin Owsiany
Sent: Sunday, August 19, 2007 3:44 PM
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Networking with DomU(s) with public statis IPs

On Sun, Aug 19, 2007 at 01:08:48PM +0200, Jordi Espasa Clofent wrote:
> Hi folks,
> 
> Let's suppose next net/xen topology
> 
> ---------
> | Router |
> ----------
>      |
>      |
> -------------------
> |     Dom0      |
> -------------------
>        |     |
>        |     |            ----------------------------
>        |     ------------| DomU with static public IP |
>        |                  -----------------------------
>        |            ----------------------------
>        ------------| DomU with static public IP |
>                     -----------------------------

This is just one way to do things.
Make sure you read http://wiki.xensource.com/xenwiki/XenNetworking

> And other domU with their own static public IP every one.
> 
> My doubts are:
> 
> * ¿Is it needed a public static IP also for dom0?

If your Dom0 acts as a router, then yes. If you use bridging, then no.

> * When a connection petition (a web page, for example) arives from 
> router tu dom0 ¿how does know dom0 what is the correct domU to redirect 
> the petition?

If you use bridging, then the bridge (inside dom0) just forwards frames
to domUs. If you use routing, then it's just a simple routing decision.

> I don't know how this scenario should be configured. If there is any 
> tuto or manual which explain it I will be very grateful.

Depends on your need really, there are several ways. Make sure you read
the material on the wiki, also googling for 'xen networking' will be
useful.

-- 
Marcin Owsiany <marcin@xxxxxxxxxx>              http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216
 
"Every program in development at MIT expands until it can read mail."
                                                              -- Unknown

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

__________ Informace od NOD32 2469 (20070818) __________

Tato zprava byla proverena antivirovym systemem NOD32.
http://www.nod32.cz



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.