[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Network Interface Problems for DomU Firewall
Hi, I ran with such a config for about 3 years on my home network without problem : - Linux with shorewall in a domU - PCI pass through for the ethernet card connected to internet. - Two bridges : br-dmz and br-loc configured at the OS level on dom0. (disabled the network-bridge script). - As all my dmz host were domU, there was no physical interface linked to the br-dmz bridge. - All guests paravirtualized. (no virtualization support in my CPU at that time). Nothing to say, this just worked. AFAIR, I had some problems with the pci passthrough that I solved by using a different brand for the ethernet card connected to internet. This is probably fixed now. Some 5 months ago, I had to migrate to KVM/libvirt because of lack of support for ivtv and nvidia in a xen dom0. I had to use a bridge for the connection to internet interface, this works too. FranÃois. ----- Original Message ----- From: "Christian Fischer" <Christian.Fischer@xxxxxxxxxxxxxxxxxxx> To: xen-users@xxxxxxxxxxxxxxxxxxx Sent: Friday, 31 July, 2009 21:46:04 GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: Re: [Xen-users] Network Interface Problems for DomU Firewall On Friday 31 July 2009, Tom Jensen wrote: > [snip] > > As I mentioned before, my ultimate goal is to configure a standard three > interface firewall within the DomU. Most of the information I have found > on the subject suggests the most secure way to accomplish this is to > dedicate the interface connected to the Internet to the DomU using PCI > passthrough. The other two interfaces (DMZ & LAN) would be virtual > interfaces bridged to the Dom0. I am open to other concepts for creating > a firewall DomU if anyone cares to share their configurations. How about to have the firewall inside dom0? If it hasn't more to do than routing/firewalling i think a separate domU is a bit blown. You could replace /etc/xen/scripts/network-bridge with a dummy script (always exit 0, no interface renaming), create simple bridges eg. brnet (bridge interfaces eth0), brlan/brdmz (no bridge interfaces, no ip) and add the domU vifs to these bridges. You could now firewall inside the bridges. Have a look at http://www.shorewall.net/manpages/shorewall-hosts.html if you use it. Works fine. Christian > > > -- > > Fajar > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users -- "Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid." --- Frank Vincent Zappa _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |