[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Network Interface Problems for DomU Firewall

On Friday 31 July 2009, Tom Jensen wrote:
> As I mentioned before, my ultimate goal is to configure a standard three
> interface firewall within the DomU.  Most of the information I have found
> on the subject suggests the most secure way to accomplish this is to
> dedicate the interface connected to the Internet to the DomU using PCI
> passthrough.  The other two interfaces (DMZ & LAN) would be virtual
> interfaces bridged to the Dom0.  I am open to other concepts for creating
> a firewall DomU if anyone cares to share their configurations.

How about to have the firewall inside dom0? If it hasn't more to do than 
routing/firewalling i think a separate domU is a bit blown.

You could replace /etc/xen/scripts/network-bridge with a dummy script (always 
exit 0, no interface renaming), create simple bridges eg. brnet (bridge 
interfaces eth0), brlan/brdmz (no bridge interfaces, no ip) and add the domU 
vifs to these bridges.

You could now firewall inside the bridges.

Have a look at http://www.shorewall.net/manpages/shorewall-hosts.html if you 
use it. Works fine.


> > --
> > Fajar
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

"Without music to decorate it, time is just a bunch of boring production
 deadlines or dates by which bills must be paid."
        --- Frank Vincent Zappa

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.