|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Re: Network isolation - PCI passthrough question
Le 20/12/2010 23:45, dave a écrit : >> As far as I have seen, there are no way to attach domU nic directly to >> my firewall domU. So, dom0 will always have access to network traffic >> from domU, right ? > only if you add dom0 interface to bridge. for example: > domu-2 : tap2 --| > domu-1 : tap1 --| > domu-fw : tapfw --| > | > tap-br0 > | > dom0 : tap0 --| > > so only do > brctl addif tap-br0 tap0 > when dom0 needs to join the LAN, then > brctl delif tap-br0 tap0 > when you want dom0 to leave the LAN. > > Again, I'm not sure if this is what you're trying to do, but it will > isolate dom0 from your virtual LAN. Hello, I understand what you mean. But even if dom0 has no interface bridged, I think I'll be able to listen to network traffic, no ? That is, a tcpdump -i tap-br0 will display network traffic from domU, right ? Then, what if I want to block that ? Will I have to use VPN (either SSL or IPSEC) in order to make dom0 unable to listen for traffic ? Is it realistic ? I want to mitigate consequences if dom0 get compromised, that's why I'm trying to isolate network. Thanks for all explanations, I've many things to test now :) Regards, JB _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |