Re: [Xen-users] Firewall in domU, networking in XEN

[Alexandre Kouznetsov <alk@xxxxxxxxxx>]

Hello.

The setup you just described looks good and it's pretty usable, we use 
very similar ones here. Bridged network, OpenVPN, dnsmasq, nginx as 
inverse HTTP proxy or rinetd (instead of port forwarding). We even use 
set up approx for Debian repository caching and PXE to service the DomU's.
Simon Hobson just have made quite good suggestions, i don't have much to 
add, except two details:
Request at least 2 external IP's from you provider, and give one of them 
to your Dom0. Firewall it hardly, set up port knocking, whatever, but 
leave yourself an emergency access via SSH directly to Dom0. One day 
your domU firewall will stop responding, even after hard reboot, and you 
will need a way to find out what's up. Also, if you provider can give 
you access to his private network, it's useful to have access to the 
IPMI interface (bad idea to expose it in Internet).
Consider a second NIC, as a internal interface. Grab cheap one, label it 
with a big red warning "do not connect". It will be useful for setup 
tests, and the internal bridge for Xen network will be more "standard" 
from OS's point of view than a "dry" one. $3-$5 worth it.
--
Alexandre Kouznetsov

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users