[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-users] Networking with DomU(s) with public statis IPs
Hi, I've seen You have already the answers for Your questions... I have one little bit off topic remark to the mentioned proposed network topology - I think it is better to have no public addresses at all defined on Your servers and define only the rules for the forwarding on the service-level on Your firewall/routing system - TCP/UDP packets incoming to specific ports of the virtually assigned public IP addresses of Your firewall/router system, are then being forwarded to the internal private IP addresses. So only your firewall, which also virtually serves all such public addresses, knows from which public address has to be which service forwarded to which internal server with the private IP... I find this configuration the safest way, securing You from Your mistakes in the firewall configuration as well as from the mistakes in the configuration of the servers itself... And even if somebody can bring Your firewall to some error, which would cause there would be released all blocking packet rules and the firewall lets go "through" whole traffic from outside, without redefining the forwarding on the firewall Your servers cannot be hacked in other way as over the published and allowed services which You can possibly better secure than other services, which are obviously used for internal management of the servers, maintenance data transfers, etc. Sure, sometimes it is not possible, especially if You have to work with other protocols like TCP, UDP and ICMP, but in 95-99% of cases all obvious services run over the given 3 Protocols. With best regards Archie -----Original Message----- From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Marcin Owsiany Sent: Sunday, August 19, 2007 3:44 PM To: xen-users@xxxxxxxxxxxxxxxxxxx Subject: Re: [Xen-users] Networking with DomU(s) with public statis IPs On Sun, Aug 19, 2007 at 01:08:48PM +0200, Jordi Espasa Clofent wrote: > Hi folks, > > Let's suppose next net/xen topology > > --------- > | Router | > ---------- > | > | > ------------------- > | Dom0 | > ------------------- > | | > | | ---------------------------- > | ------------| DomU with static public IP | > | ----------------------------- > | ---------------------------- > ------------| DomU with static public IP | > ----------------------------- This is just one way to do things. Make sure you read http://wiki.xensource.com/xenwiki/XenNetworking > And other domU with their own static public IP every one. > > My doubts are: > > * ¿Is it needed a public static IP also for dom0? If your Dom0 acts as a router, then yes. If you use bridging, then no. > * When a connection petition (a web page, for example) arives from > router tu dom0 ¿how does know dom0 what is the correct domU to redirect > the petition? If you use bridging, then the bridge (inside dom0) just forwards frames to domUs. If you use routing, then it's just a simple routing decision. > I don't know how this scenario should be configured. If there is any > tuto or manual which explain it I will be very grateful. Depends on your need really, there are several ways. Make sure you read the material on the wiki, also googling for 'xen networking' will be useful. -- Marcin Owsiany <marcin@xxxxxxxxxx> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 "Every program in development at MIT expands until it can read mail." -- Unknown _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users __________ Informace od NOD32 2469 (20070818) __________ Tato zprava byla proverena antivirovym systemem NOD32. http://www.nod32.cz _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |