[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewalling Xen?


  • To: Andris <andris@xxxxxxxx>
  • From: "Grant McWilliams" <grantmasterflash@xxxxxxxxx>
  • Date: Wed, 17 Dec 2008 01:24:40 -0800
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Wed, 17 Dec 2008 01:25:20 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=B24lOGtYzIAAxyuC4evNa1kgTTyeELP164GcQfWgG9VE4L7gOuiRy5EdfiHcWA43/Z s7n5BV1afKZDCClCW359jaApVgBjI4M0U5TTtWh86F9FOyZ+oX1IpJJqi2UcTVKY+5AO 53uP83924tKfQ1H1mdPJxRM5Wd2NLf+Jb5Tro=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>


On Wed, Dec 17, 2008 at 12:06 AM, Andris <andris@xxxxxxxx> wrote:
Hi!

I set up my servers this way and prefer it as most flexible solution for me.

Dom0 (no firewall, firewalled externaly by ISP's firewall) - independent host machine, no special setup for easy replacement if fails
DomU1 (Dedicated shorewall firewall machine doing nat, load balancing, proxying etc.  for another DomU's in virtual LAN)
DomU'sX (all inside LAN, behind DomU1 firewall)
DomU'sY (proxyarped in DMZ zone, looks like standalone machines from internet)

So everything is bridged (NET,LAN,DMZ bridges)

Very flexsible, I can replace any component and my DomU's are not binded to Dom0. I can move DomUs easily whithin my Dom0us.



andris

So you have the DomU1's IP address exposed to the outside and then have one of it's network interfaces on the internal private networks bridge? I'd assume this means that the DomU1's other network interface would be added to the eth0 bridge that peth0 resides on? I'm not sure I like the idea of Dom0 sitting there unprotected. Let's not forget that if another machine anywhere on the real network were exploited the Dom0 is a sitting duck. The consequences of Dom0 falling are huge.. You could just keep it that same way and put a firewall on Dom0 anyway because what do you really want to allow in since the router is really DomU1?


I was thinking though of having the traffic come in eth0 and have Dom0's firewall forward everything to the first DomU which would then do all the real filtering and NAT. I only have one external IP address to use. I'm a bit worried about speed though since I'm filtering everything twice.

Grant
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.