[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewall in domU, networking in XEN

  • To: xen-users <xen-users@xxxxxxxxxxxxx>
  • From: Simon Hobson <linux@xxxxxxxxxxxxxxxx>
  • Date: Wed, 23 May 2012 20:22:42 +0100
  • Delivery-date: Wed, 23 May 2012 19:24:46 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>
S½awek Kosowski wrote:
1. I need to create a virtual interface in dom0 that will connect to ethint (giving an access to LOC). Should I create an alias to eth0 (eth0:1) ? 

No. You already have access to int from Dom0 - that's what the
   address 192.168.1.x
   netmask 255.255.255.0
   gateway 192.168.1.1
bit of the config does for you. The bridge itself becomes the interface in Dom0 - it should show as ethint in the output from ifconfig.
2. I cannot configure ethdmz in the way that you've shown. It works fine if I assign IP as in case ethint
The docs I found says it should work - not a setup I've used personally. Perhaps someone else can confirm if I've got the syntax correct. Do you get an error message ? Just "nothing" ? Does the bridge appear (brctl show) ?
3. How should I keep the configuration of eth0 if it won't have any IP (in dom0) - it will be bridged to domU1 ? 

Should it be something like this:

auto eth0:0

 iface eth0:0 inet manual
No, you just don't configure it at all. It will be bridged to a DomU and Dom0 will not have any access. 


Before starting any DomUs, brctl show should give something like :
bridge name     bridge id               STP enabled     interfaces
ethext          8000.xxxxxxxxxxxx       no              eth0
ethint          8000.xxxxxxxxxxxx       no
ethdmz          8000.xxxxxxxxxxxx       no
After starting the first DomU as your firewall device, you should see it change to something like : 
ethext          8000.xxxxxxxxxxxx       no              vifa.b
                                                        eth0
ethint          8000.xxxxxxxxxxxx       no              vifa.c
ethdmz          8000.xxxxxxxxxxxx       no              vifa.d
Not too sure about the "vifa.b" stuff, I give my DomUs explicit interface names, so I might see : 
ethext          8000.xxxxxxxxxxxx       no              fwext
                                                        eth0
ethint          8000.xxxxxxxxxxxx       no              fwint
ethdmz          8000.xxxxxxxxxxxx       no              fwdmz

Eg, in the config for my firewall DomU, I might have something like :
vif = [ 'bridge=ethext,vifname=fwext', 'bridge=ethint,vifname=fwint', 'bridge=ethdmz,vifname=fwdmz' ]
I just like having meaningful names - makes things easier when you have a few VMs running. On the other hand, it causes some confusion when cloning a VM and I forget to change the names ! 

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.