This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Xen networking concepts

On Tue, 2005-12-20 at 23:32 +0100, René Pfeiffer wrote:
> On Dec 20, 2005 at 1130 -0500, John A. Sullivan III appeared and said:
> >
> > Fernando made a really important point that I hope didn't slip by.  Your
> > original e-mail described binding an external IP address to Dom0.  I
> > would recommend never doing such a thing.  If someone compromises dom0,
> > they have everything.
> Yes, I didn't miss that point.
> > [...]
> > We heavily shield dom0 with no IP addresses bound to the public
> > interface and pass all external traffic through the firewall as you
> > proposed.
> That's what I have in mind. The problem with the setup is the fact that
> the server is "heavily colocated", so we probably have to assign Dom0 an
> external IP address for system administration. I proposed to my
> colleagues to use a second IP address for the firewall and make the
> access to Dom0 VPN-only in addition to limiting packets from selected
> networks only. 
> Thanks for your insights!
> Best,
> Lynx.
Why do you need a second IP address (unless I missed something).  To
eliminate the need to publicly expose the dom0 even in colocation
scenarios, we typically assign dom0 a private address only and access it
via VPN.  Thus one only needs a public IP address for the VPN gateway -
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880

Financially sustainable open source development

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>