[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Bridging firewall?
On Fri, 21 Jan 2005 13:55:35 +0000 Grzegorz Milos <gm281@xxxxxxxxxxxxxxxx> wrote: > > Is it possible with Xen to construct something like the following scenario. > > > > Free/NetBSD (*) domU server running pf or Linux/iptables, acting as a > > routing or bridging firewall for all the other domU guests? Further more > > create virtual DMZ and internal services. I've done it and it's running since two or three month at home and it seems to work ... > > > > You'd probably keep the dom0 instance otherside this setup, with its own > > filtering arrangement. > > > > If you give direct network device access to first domU you can set-up your > scheme fairly easily. Otherwise (in the standard setup) dom0 will be handling > all the incomming/outgoing traffic with no involvment from first domU (so no > firewall possible there). Not sure see my setup: i've two cards in dom0 :eth0 and eth1, eth1 is linked to my xdsl modem, eth0 to a switch for other physical machines, eth0 is also shared with other xenU domains (thoses who are consciderated to be after the firewall). br0 encapsulate eth0, one of the virtual network card of my firewall (the one consciderated filtred) and other xenU virtual network card br1 encapsulate eth1 and the other virtual network card My basic idea was not to configure eth1 at all, i thought that if the interface is not activated there is no chance of attacking xen0. It tunrns that in order to have the packet directed to xenFirewall-input, i must do if config eth1 up. By doing this way, i must say that i feel less confortable but i still have faith (and some iptables rules in dom0). In order to feel secure i've activated the antispoof options, but as it was broken for me i tweak a little the rules ... if someone is intrested i can post my script and give some explanations. I must say that i'm planning to switch to a solution where my eth1 is directly exported in xenFirewall. > > Cheers > Gregor > > > For instance, you have a subnet 192.168.1.0/24. Put the dom0 on > > 192.168.1.254. Have the firewall router domU running on 192.168.1.1 and > > acting as the gateway for all the other machines on the subnet. > > > > > > (*) This is my dream, using pf for security and debian for serving the > > applications. ;) HTH ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |