[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewall in domU, networking in XEN

  • To: xen-users@xxxxxxxxxxxxx
  • From: Alexandre Kouznetsov <alk@xxxxxxxxxx>
  • Date: Mon, 30 Apr 2012 12:22:48 -0500
  • Delivery-date: Mon, 30 Apr 2012 17:24:04 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>


The setup you just described looks good and it's pretty usable, we use very similar ones here. Bridged network, OpenVPN, dnsmasq, nginx as inverse HTTP proxy or rinetd (instead of port forwarding). We even use set up approx for Debian repository caching and PXE to service the DomU's.

Simon Hobson just have made quite good suggestions, i don't have much to add, except two details:

Request at least 2 external IP's from you provider, and give one of them to your Dom0. Firewall it hardly, set up port knocking, whatever, but leave yourself an emergency access via SSH directly to Dom0. One day your domU firewall will stop responding, even after hard reboot, and you will need a way to find out what's up. Also, if you provider can give you access to his private network, it's useful to have access to the IPMI interface (bad idea to expose it in Internet).

Consider a second NIC, as a internal interface. Grab cheap one, label it with a big red warning "do not connect". It will be useful for setup tests, and the internal bridge for Xen network will be more "standard" from OS's point of view than a "dry" one. $3-$5 worth it.

Alexandre Kouznetsov

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.