[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Remote management of DomU

On Friday 23 December 2005 07:03, John A. Sullivan III wrote:
> Just as a suggestion, I always cringe to put any device other than a
> firewall directly on the Internet with public IPs especially a domU just

In my case, I have a DomU acting as my firewall :-)

To do remote management of the Dom0, I took rupi's suggestion and created a 
third bridge on my Dom0, but gave it an IP.  I then exported the bridge to my 
firewall domU where it became a 4th interface, "eth3".  I then gave this new 
interface on the firewall an IP on the same subnet  as the "administrative" 
bridge I createdon Dom0, and now I can ssh into the Dom0 from the firewall 
domU.

My configuration now looks like this:

On Dom0 (Debian Sarge):

/etc/internet/interfaces
auto br-lan0 br-dmz0 br-adm0
# LAN bridge
interface br-lan0 inet manual
    bridge_ports eth0

# DMZ bridge
interface br-dmz0 inet manual
    bridge_ports eth1

# Administration bridge
interface br-adm0 inet static
    address 10.253.3.2
    netmask 255.255.255.0
    bridge_ports dummy0


/etc/xen/01_fw01
...
nics = 3
vif = [
          'mac=aa:00:00:11:e2:d1,bridge=br-lan0',
          'mac=aa:00:00:11:e2:d2,bridge=br-dmz0',
          'mac=aa:00:00:11:e2:d3,bridge=br-adm0'
          ]
...


And on the firewall DomU, I just simply configure networking as I normally 
would (using the OS's networking config files; I use Mandriva in this case)

    eth0 -> Internet interface, gets IP from ISP (also a physical interface 
hidden from Dom0)
    eth1 -> LAN interface, 10.253.1.1
    eth2 -> DMZ interface, 10.253.2.1
    eth3 -> administrative interface for Dom0, 10.253.3.1

and so far it all works rather nicely.  The firewall DomU of course has 
restrictive firewall rules on it about what is allowed to access Dom0 from 
the network

I hope this can help someone else out.  I am in the process of writing a 
"recipe" for my setup and will likely post it once done, but I am not sure on 
its ETA.  Everything I did was pretty much pieced together form other posts 
on the list as well as helpful advice from others.

-Alan

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.