|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario
On Thu, Aug 20, 2009 at 7:43 PM, Simon Hobson<linux@xxxxxxxxxxxxxxxx> wrote: > Sanjay Arora wrote: >> Is this possible? If so, is it secure? Or does dom0 always have direct >> access to Network Card and needs a separate firewall? And packets will >> always route from dom0 to all domUs ? > > OK, there are two ways to deal with this. > An alternative is to create more than one bridge in Dom0. The 'outside' > bridge will have members of the real network card, and the VIF for your > firewall DomU. Dom0 either has no interface defined on this bridge*, or some > iptables rules to block all outside traffic. The 'internal' bridge has > member interfaces for Dom0, your firewall DomU, and all other DomUs. The > route for packets is then : > > real i/f -> ext bridge -> VIF -> DomU (firewall) -> VIF -> int bridge \ > [ Dom0 | VIF -> DomU ] > This is what I use. From security perspective, this is the same as having an L2 switch (when dom0's bridges have no IP address) or L3 switch (when dom0's bridges have an IP address) -- Fajar _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |