[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: [Xen-users] firewall domU

  • To: "XEN Mailing List" <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: "Thiago Camargo Martins Cordeiro" <thiagocmartinsc@xxxxxxxxx>
  • Date: Thu, 18 Dec 2008 15:56:41 -0200
  • Delivery-date: Thu, 18 Dec 2008 09:59:17 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=gSloHXUVSafA/XjVUnNEpyIoh+YX5Rc0W20qL78xh5YgNKFgcCmOda4wqwIhfr8z1I AyJjRaYN48bBbKNOvxdIJI6R80ZpAyh4cYD4Se/j9IKv0gbKVV8Jreejvo4tlzeOH+u5 P3M3HGV7uNfT0eBhRZj3C0OV1wE/9asNK8SPM=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Forwarding to the list again:

---------- Forwarded message ----------
From: Thiago Camargo Martins Cordeiro <thiagocmartinsc@xxxxxxxxx>
Date: 2008/12/18
Subject: Re: [Xen-users] firewall domU
To: "Maximilian W. Zeller" <mawize@xxxxxxxxx>


 I fogot to say that in your www and mail domUs, it's eth0 will be connected to "bridge=eth1"!

 Like this:
grep vif /etc/xen/mail01.cfg
vif         = [ 'mac=00:01:64:WW:YY:XX, bridge=eth1' ]


2008/12/18 Thiago Camargo Martins Cordeiro <thiagocmartinsc@xxxxxxxxx>


 I have 4 domUs acting as a firewall in a bridge fashion, but my hardware has 2 physical ethernets.

 In dom0, my public eth0 IP is, is the gateway of public network. My private eth1 IP is

 Create the file /etc/xen/scripts/network-bridge-wrapper with:

/etc/xen/scripts/network-bridge $1 netdev=eth0
/etc/xen/scripts/network-bridge $1 netdev=eth1

 In /etc/xen/xend-config.sxp change the line:
(network-script network-bridge)

(network-script network-bridge-wrapper)  # ...and restart xendomains / xend.

 In your domU firewall configuration file, "vif" must be like this:

grep vif /etc/xen/firewall01.cfg:
vif         = [ 'mac=00:01:64:ac:8f:2c, bridge=eth0', 'mac=00:01:64:9b:b5:1b, bridge=eth1' ]

 So you will have two ethernets in your domU firewall, each of it connected to it's relative public/private bridge.

 In your domU eth0, configure the public IP with gateway (the same gateway of dom0) and in your domU eth1, configure the IP, this will be the gateway for all your domUs. Living on the same hypervisor or not (it's a bridge remember). Ah! You do not need an interface for each domU...

  I hope help you in your scenario.


2008/12/18 Maximilian W. Zeller <mawize@xxxxxxxxx>
We would like to implement following scenario .. please look at the png attachment

Main Question:
how do i set up a domU firewall/router with one interface bridged to the internet and interfaces connected to other domUs? do we even need an interface for each connected domU?

thanks in advance
merry xmas


Xen-users mailing list

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.