|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] Xen networking concepts
On Tue, 2005-12-20 at 23:32 +0100, René Pfeiffer wrote:
> On Dec 20, 2005 at 1130 -0500, John A. Sullivan III appeared and said:
> >
> > Fernando made a really important point that I hope didn't slip by. Your
> > original e-mail described binding an external IP address to Dom0. I
> > would recommend never doing such a thing. If someone compromises dom0,
> > they have everything.
>
> Yes, I didn't miss that point.
>
> > [...]
> > We heavily shield dom0 with no IP addresses bound to the public
> > interface and pass all external traffic through the firewall as you
> > proposed.
>
> That's what I have in mind. The problem with the setup is the fact that
> the server is "heavily colocated", so we probably have to assign Dom0 an
> external IP address for system administration. I proposed to my
> colleagues to use a second IP address for the firewall and make the
> access to Dom0 VPN-only in addition to limiting packets from selected
> networks only.
>
> Thanks for your insights!
>
> Best,
> Lynx.
>
Why do you need a second IP address (unless I missed something). To
eliminate the need to publicly expose the dom0 even in colocation
scenarios, we typically assign dom0 a private address only and access it
via VPN. Thus one only needs a public IP address for the VPN gateway -
John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@xxxxxxxxxxxxxxxxxxx
Financially sustainable open source development
http://www.opensourcedevel.com
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|