[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewalling Xen?

On December 15, 2008 1:50 pm Grant McWilliams wrote:
> On Mon, Dec 15, 2008 at 1:05 PM, Dustin Henning
> <Dustin.Henning@xxxxxxxxxxx>wrote:
> >        In case it is relevant, I simply allow all traffic to traverse
> > the forwarding chain when it is headed to a bridged destination.  I
> > then simply run a firewall on dom0 and each domU as if they were all
> > individual machines.  This seems to me like the way to go short of
> > doing something more drastic with hardware isolation, but as a lot of
> > people prefer to have much more complex firewall setups, it is
> > certainly likely that at least some of them have good reason.
> >         Dustin
> Keep in mind that this method means you'll be managing multiple
> firewalls. In my case it would be about 30 firewalls total. By separating
> the internal private network from the real network you can run with one
> firewall. However, having said that you can only forward each outside
> port to one port on one domU. This means if you have multiple web servers
> you can't forward the external port 80 to more than one internal possibly
> making it messy for external clients accessing the virtual machines by
> requiring them to access services on non-standard ports. In my setup this
> is fine because I only forward one port anyway (ssh) to allow remote
> logins.

You can always use 1:1 NAT between a public IP and a private IP, for each 
domU.  There's nothing that forces you to use a single IP for the firewalled 


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.