|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Firewalling Xen?
On December 15, 2008 1:50 pm Grant McWilliams wrote: > On Mon, Dec 15, 2008 at 1:05 PM, Dustin Henning > > <Dustin.Henning@xxxxxxxxxxx>wrote: > > In case it is relevant, I simply allow all traffic to traverse > > the forwarding chain when it is headed to a bridged destination. I > > then simply run a firewall on dom0 and each domU as if they were all > > individual machines. This seems to me like the way to go short of > > doing something more drastic with hardware isolation, but as a lot of > > people prefer to have much more complex firewall setups, it is > > certainly likely that at least some of them have good reason. > > Dustin > > Keep in mind that this method means you'll be managing multiple > firewalls. In my case it would be about 30 firewalls total. By separating > the internal private network from the real network you can run with one > firewall. However, having said that you can only forward each outside > port to one port on one domU. This means if you have multiple web servers > you can't forward the external port 80 to more than one internal possibly > making it messy for external clients accessing the virtual machines by > requiring them to access services on non-standard ports. In my setup this > is fine because I only forward one port anyway (ssh) to allow remote > logins. You can always use 1:1 NAT between a public IP and a private IP, for each domU. There's nothing that forces you to use a single IP for the firewalled interface. -- Freddie fjwcash@xxxxxxxxx _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |