[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Firewalling Xen?
Hi Andris, Thanks for your advice. The setup of your Xen box is quite similar to mine. The whole system is still under testing NOT for production yet. > I set up my servers this way and prefer it as most flexible solution > for me. > > Dom0 (no firewall, firewalled externaly by ISP's firewall) - > independent > host machine, no special setup for easy replacement if fails For testing convenience no firewall is running on Dom0. But after testing completed I'll install firewall on Dom0. > DomU1 (Dedicated shorewall firewall machine doing nat, load > balancing, > proxying etc. for another DomU's in virtual LAN) Same as here DomU1 is only for routing with shorewall running also doing proxying. > DomU'sX (all inside LAN, behind DomU1 firewall) Also same as here all DomUs are protected behind the firewall of DomU1. The whole system is working nicely on Intranet (local network). My further test is to allow other PCs on Internet to connect the DomUs remotely to fetch mails also via DomU1 by proxying. I don't run a separate proxy server here. In such case I wonder whether each DomU needs its own firewall? Thanks B.R. Stephen L > DomU'sY (proxyarped in DMZ zone, looks like standalone machines from > internet) > > So everything is bridged (NET,LAN,DMZ bridges) > > Very flexsible, I can replace any component and my DomU's are not > binded > to Dom0. I can move DomUs easily whithin my Dom0us. > > > > andris > > > Stephen Liu wrote: > > --- Grant McWilliams <grantmasterflash@xxxxxxxxx> wrote: > > > > > >> Grant McWilliams > >> > >> Some people, when confronted with a problem, think "I know, I'll > use > >> Windows." > >> Now they have two problems. > >> > >> > >> > >> On Tue, Dec 16, 2008 at 9:01 AM, Thomas Goirand > <thomas@xxxxxxxxxx> > >> wrote: > >> > >> > >>> lists@xxxxxxxxxxxxx wrote: > >>> > >>>> I'm wondering how to setup a firewall for Dom0 when all traffic > >>>> > >> for the > >> > >>> DomUs go 'through' it. > >>> > >>> Hi, > >>> > >>> as we do commercial VPS hosting with xen and our own open source > >>> management interface, we have designed a small anti-DoS firewall > to > >>> setup in your dom0. It does nothing spectacular, but it helps > >>> > >> against > >> > >>> ssh dictionary attacks, and other very common flood types that > >>> > >> might > >> > >>> hurt your server: ping, syn, etc. > >>> > >>> > >>> > >>> > > > http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen.init;h=5e4df2e46e3a872a2d73ada77e24e8bb242f8b6b;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa > > > >>> I'd be happy to have contributions in this small script that is > by > >>> > >> the > >> > >>> way very simple to extend (just add few functions for yourself > and > >>> share, then anybody can enable/disable them with ease. > >>> > >>> Thomas > >>> > >>> > >>> > >> Don't you mean this ;-) > >> > >> > >> > > > http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen-firewall.init;h=16139921d6efd6fc2e407f7d80b11fae97befdf9;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa > > > >> A bit off topic but can dtc-xen control it's users in a way that > you > >> can > >> assign an admin per VM? What I'm looking for is to have each > student > >> manage > >> his and only his domU. > >> > >> Grant McWilliams > >> > > > > > > Hi folks, > > > > > > Just came across this thread. The setup of the Xen box here is as > > follows; > > > > > > DomO - a workstation for remote setup/config DomU > > DomU1 - mail server for routing (headless) > > DomU2 - mail server for domain1 (headless) > > DomU3 - mail server for domain2 (headless) > > DomU4 - mail server for domain3 (headless) > > etc. > > > > > > Firewall is only running on domU1. I'm running virtual domains, > with > > all domains pointing at the same public IP (one public IP). All > ports > > on router are forwarded to the local IP of DomU1. Do I need to > have > > firewall installed on each DomU? TIA > > > > > > B.R. > > Stephen L > > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com > > > > _______________________________________________ > > Xen-users mailing list > > Xen-users@xxxxxxxxxxxxxxxxxxx > > http://lists.xensource.com/xen-users > > > > > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users > Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |