[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [Xen-users] Firewalling Xen?


  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Franz Von Hahn <franz.vonhahn@xxxxxxxx>
  • Date: Mon, 15 Dec 2008 22:20:47 +0000 (GMT)
  • Delivery-date: Mon, 15 Dec 2008 14:21:31 -0800
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.de; h=X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=hRrN5avFz1SG8dNCvDFrBX+lntTo9PWgvgGs4vMR482/z6f1b02RFiHSFkrv8Qu/LehUbgB9qJ4+ARLEiXpvNINr7G07APVUKRhTdG7aSFBfyX0WaGd/mzrUuQb8edAZw/h/mx+xllH0m8ppzpfwiVyGjUlUgVfwfF5M1s2CGjw=;
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

i do firewalling in this way:

the external nic is attached to dom0 and does have multiple ip-adresses (which 
are on the public internet). the xenbr0 does have the ip-adress 10.0.0.1 and my 
domUs are on that 10.0.0.x-Network. All necesary services are firewall'ed in 
the dom0 and their necesary ports are forwarded using NAT. so i'm able to run 
multiple webservers (each on its own ip and with port 80), a dns-server, a 
mailserver and a windows-machine each in a properly firewalled domU. there's 
nothing special about that. but please note, that some services might not work 
using NATted transfers. this is just a suggestion, please proof me wrong if 
there are any.





----- Ursprüngliche Mail ----
Von: Freddie Cash <fjwcash@xxxxxxxxx>
An: xen-users@xxxxxxxxxxxxxxxxxxx
Gesendet: Montag, den 15. Dezember 2008, 22:56:06 Uhr
Betreff: Re: [Xen-users] Firewalling Xen?

On December 15, 2008 1:50 pm Grant McWilliams wrote:
> On Mon, Dec 15, 2008 at 1:05 PM, Dustin Henning
>
> <Dustin.Henning@xxxxxxxxxxx>wrote:
> >        In case it is relevant, I simply allow all traffic to traverse
> > the forwarding chain when it is headed to a bridged destination.  I
> > then simply run a firewall on dom0 and each domU as if they were all
> > individual machines.  This seems to me like the way to go short of
> > doing something more drastic with hardware isolation, but as a lot of
> > people prefer to have much more complex firewall setups, it is
> > certainly likely that at least some of them have good reason.
> >         Dustin
>
> Keep in mind that this method means you'll be managing multiple
> firewalls. In my case it would be about 30 firewalls total. By separating
> the internal private network from the real network you can run with one
> firewall. However, having said that you can only forward each outside
> port to one port on one domU. This means if you have multiple web servers
> you can't forward the external port 80 to more than one internal possibly
> making it messy for external clients accessing the virtual machines by
> requiring them to access services on non-standard ports.. In my setup this
> is fine because I only forward one port anyway (ssh) to allow remote
> logins.

You can always use 1:1 NAT between a public IP and a private IP, for each 
domU.  There's nothing that forces you to use a single IP for the firewalled 
interface.

-- 
Freddie
fjwcash@xxxxxxxxx

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource..com/xen-users






_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.