[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewall in domU, networking in XEN



At 10:44 +0200 10/5/12, =?ISO-8859-2?Q?S=B3awek_Kosowski?= wrote:

The idea for custom network script for dom0

Really, DON'T use network script - comment it out (ie don't use it at all) and use the host OS tools. network script is deprecated and is a hangover from the days when most distros didn't provide easy/convenient tools for managing bridges.

Now that most distros have good tools for this, there isn't really any need for Xen's network script - and using the OS tools means you'll have a config that works even when booting the host OS without Xen (eg for troubleshooting).

For example, in Debian you can (I think) do this in /etc/network/interfaces :

auto ethext
iface ethext inet static
  bridge_ports eth0

auto ethint
iface ethint inet static
  bridge_ports none
  address 192.168.1.x
  netmask 255.255.255.0
  gateway 192.168.1.1

auto ethdmz
iface ethdmz inet static
  bridge_ports none

If I've got it right, this will leave you with three bidges :

ethext has one member, the real NIC eth0. Dom0 has no access to it (no IP address configured).

ethint has no physical NICs. Dom0 has an IP in this network.

ethdmz also has no physical NIC, and also no access to Dom0.

You'd start up your first DomU for the firewall with VIFs connected to all three bridges. For all other DomUs you'd connect them to one or both of ethint and ethdmz according to their requirements.

You can use whatever names you like instead of ethext, ethint, and ethdmz. Personally I don't like using things like br0, br1, etc as it's harder to keep track of what's what.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.