WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Remote management of DomU

from [Goetz Bock] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Remote management of DomU
From: Goetz Bock <bock@xxxxxxxxxxx>
Date: Fri, 23 Dec 2005 08:55:25 +0100
Delivery-date: Fri, 23 Dec 2005 07:59:33 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <200512210719.13233.lists@xxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Mail-followup-to: Goetz Bock <bock@xxxxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
References: <E1En9iI-0006yY-N9@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <200512152333.44662.lists@xxxxxxxxxx> <1134753568.2587.38.camel@localhost> <200512210719.13233.lists@xxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.4.2i 
On Wed, Dec 21 '05 at 07:19, Alan Murrell wrote:
> > A quick thought is to do it via VPN.  Expose the Dom0 to the internal
> > network but use iptables to restrict virtually all traffic to the Dom0
> > and then allow only ssh coming off of an IPSec tunnel to be allowed to
> > go from the firewall to the Dom0 - John
> 
> If Dom0 doesn't have a physical interface, how would I expose it to the 
> internal network?  Or are you suggesting I should add a 4th NIC?
Without going back into the archive, but I think onone has come up with
it:

You can always give the bridge interface an IP, than you can use it from
Dom0 like if it was a regular interface.

I'm currently running a Xen3 amd64 server with three bridges:

- xenbr0: with the real eth0, and a vif from a firewall domU
- privbr: one vif from the firewall, and vifs from some domU. All
          interfaces on this bridge use 192.168.x.y IPs. this one also
          has an IP on it's own, so the Dom0 can be accessed
- pubbr: one vif form the firewall, vifs from some domUs all with public
         IPs. 

The firewall is doing routing between xenbr0 and pubbr. I'm also runnign
a VPN domU that allows me to access the network on privbr.

Works fine so far.
-- 
/"\ Goetz Bock at blacknet dot de  --  secure mobile Linux everNETting
\ /       (c) 2005 Creative Commons, Attribution-ShareAlike 2.0 de
 X   [ 1. Use descriptive subjects - 2. Edit a reply for brevity -  ]
/ \  [ 3. Reply to the list - 4. Read the archive *before* you post ]

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Xen-users] RE: [Fedora-xen] Difficulties using the Fedora Core 4, Leonardo Pinto
Next by Date:  [Xen-users] new user: "connect: Network is unreachable" error, PUCCETTI Armand
Previous by Thread:  Re: [Xen-users] Remote management of DomU, Alan Murrell
Next by Thread:  Re: [Xen-users] Remote management of DomU, John A. Sullivan III
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy