|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-users] Ideal(istic) Xen firewall design
> Marcus Brown wrote: > Hi Dirk, > > Dirk H. Schulz wrote: > > Hi Marcus, > > > > thanks for so much info! > > > > Just a short question before I start digging into your > configs: What > > do you gain by running the firewall inside a privileged > guest system > > instead of inside dom0? > > > > It's modular, restartable, replaceable, ... > (ie. I can reboot the firewall without rebooting all the > domUs) errr oh, and someone gaining root access to the > firewall won't be able to play with xend, or the filesystems > of the domUs. > > I'm sure there are other good reasons :) Yep, like if you are consolidating an existing "bunch" of servers you can (probably) keep your current set of firewall rules that your current physical firewall uses. I'm currently looking at using Xen to consolidate our firewall, front end (mail, dns, proxy), application & file servers all into the one box (3 of those sit 98% idle.....). The complex firewall rules (5 diff zones) are built with fwbuilder (www.fwbuilder.org) and so I can probably just rename the ethernet devices and hit "compile" to generate the iptables rules for the new Xen firewall. Hopefully this thread has given me enough info to handle all the bridging! :) But it is still tempting to just do away with the seperate firewall vm and do all the firewalling in Dom0! > I've got all my domains (except dom0) on lvm+raid so > snapshotting is a great way of testing and making backups. > > This is just the start, though ... more ideas being worked on atm. > > Marcus. > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users > _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |