|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Question about using Xen in a periphery firewall/router scenario
On Thursday 20 August 2009 13:33:07 Sanjay Arora wrote: > Hello All > > XEN newbie here. > > If I install minimal linux for XEN in dom0 and a periphery firewall in > domU and other applications in other instances of domU, is it possible > to restrict/bind the network card to domU having periphery firewall > and from there forward packets for dom0 or for other domUs? > > Is this possible? If so, is it secure? Or does dom0 always have direct > access to Network Card and needs a separate firewall? And packets will > always route from dom0 to all domUs ? > > What are the issues involved? > > With best regards. > Sanjay. I actually set up seperate bridges for each network card I have in my Router/Firewall/Server/.... Then I hook them all into the firewall-domU and only hook the seperate domains to each bridge depending on where they belong in the network. The dom0 uses a dummy-device to be connected to one of the bridges and this works correctly for me. I do, however, set up all the bridges, apart from the one that dom0 is connected to, but that is because I haven't figured out how to configure multiple bridges in the xen-configuration. As for how secure it is, unless there is some attack-vector that can access the dom-0 over a bridge that only has the physical network device (no ip) and the connection to the firewall-domain, this should be quite safe. In the past 4 years that I've been using this set-up, I have not seen any evidence of any packets reaching the dom0 other then the ones I allow through the firewall. Let me know if you want me to go more in-depth on how I set this up. HTH, Joost _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |