|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
HiSorry if this has been asked, or even answered a gazillion times. Right now it feels like I've read most of them! :-/ My office is getting a Xen on linux server donated. Looks like I'm on the hook to get it up and running. Been reading and testing bits and pieces. Most seem pretty straight forward. I have a question about putting a firewall on the Xen machine to provide firewall for the machine Hosts, the Guests, and machines on the office lan.I've found a lot of articles & examples about it, and am in the weeds a ways. IIUC there are basically four ways to handle the firewall, (1) 2 ethernet interfaces in the Dom0 host, shorewall on the Dom0 (2) 2 ethernet interfaces in the Dom0 host, shorewall in a DomU guest (3) 1 ethernet interfacs in the Dom0 host, 1 eth intfc in a DomU guest, shorewall in the Guest, (4) 2 ethernet interfaces in the DomU guest, shorewall in the DomU guest, guest internal intfc connected to an Ethernet switch. So far I'm pretty convinced that (A) this Xen server CAN be my 'edge' firewall/router for my office(B) it's best to NOT load up the Dom0 with the firewall pkgs, so the fw goes in a DomU (C) At least the external inerface should be passed through to the Guest to avoid DomU<>Dom0 traffic (D) I should use a bridged, not routed, topology.(E) Linux' built-in L2 switch is good enough, and I likely don't need OpenVSwitch If all of those are right, then I'm left with figuring out how best to handle the other interface, and getting the traffic from the 'net, "through" the Xen server & a switch, then to the LAN. At the moment I reading these http://wiki.xen.org/wiki/Xen_FAQ_Security http://wiki.xenproject.org/wiki/Xen_Networkinghttp://old-list-archives.xenproject.org/archives/html/xen-users/2006-02/msg00602.html and am really not sure which is the right way to go. Also thishttps://community.spiceworks.com/how_to/103601-configure-xenserver-6-2-to-host-a-virtual-firewall talks about using dedicated physical host ports VS. using VLAN with an external switch. Which is an option since this Xen server has a total of 4 physical ehternet interfaces, AND my Ethernet Switch is a managed, VLAN capable Gbit switch. I'd appreciate a little help in narrowing this down to the best approach, choosing simple where there's a choice. aleph ------------------------------------------------- ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!$24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |