Re: [Xen-users] Firewall in domU, networking in XEN

[Simon Hobson <linux@xxxxxxxxxxxxxxxx>]

At 10:44 +0200 10/5/12, =?ISO-8859-2?Q?S=B3awek_Kosowski?= wrote:

> The idea for custom network script for dom0
Really, DON'T use network script - comment it out (ie don't use it at 
all) and use the host OS tools. network script is deprecated and is a 
hangover from the days when most distros didn't provide 
easy/convenient tools for managing bridges.
Now that most distros have good tools for this, there isn't really 
any need for Xen's network script - and using the OS tools means 
you'll have a config that works even when booting the host OS without 
Xen (eg for troubleshooting).
For example, in Debian you can (I think) do this in /etc/network/interfaces :

auto ethext
iface ethext inet static
  bridge_ports eth0

auto ethint
iface ethint inet static
  bridge_ports none
  address 192.168.1.x
  netmask 255.255.255.0
  gateway 192.168.1.1

auto ethdmz
iface ethdmz inet static
  bridge_ports none

If I've got it right, this will leave you with three bidges :

ethext has one member, the real NIC eth0. Dom0 has no access to it 
(no IP address configured).
ethint has no physical NICs. Dom0 has an IP in this network.

ethdmz also has no physical NIC, and also no access to Dom0.

You'd start up your first DomU for the firewall with VIFs connected 
to all three bridges. For all other DomUs you'd connect them to one 
or both of ethint and ethdmz according to their requirements.
You can use whatever names you like instead of ethext, ethint, and 
ethdmz. Personally I don't like using things like br0, br1, etc as 
it's harder to keep track of what's what.
--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users