This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Xen networking concepts

On Dec 20, 2005 at 1130 -0500, John A. Sullivan III appeared and said:
> Fernando made a really important point that I hope didn't slip by.  Your
> original e-mail described binding an external IP address to Dom0.  I
> would recommend never doing such a thing.  If someone compromises dom0,
> they have everything.

Yes, I didn't miss that point.

> [...]
> We heavily shield dom0 with no IP addresses bound to the public
> interface and pass all external traffic through the firewall as you
> proposed.

That's what I have in mind. The problem with the setup is the fact that
the server is "heavily colocated", so we probably have to assign Dom0 an
external IP address for system administration. I proposed to my
colleagues to use a second IP address for the firewall and make the
access to Dom0 VPN-only in addition to limiting packets from selected
networks only. 

Thanks for your insights!


"From the delicate strands,
 between minds we weave our mesh:
 a blanket to warm the soul."
 --- Lady Deirdre Skye (SMAC) ---

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>