This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Firewalling Xen?

On December 15, 2008 1:50 pm Grant McWilliams wrote:
> On Mon, Dec 15, 2008 at 1:05 PM, Dustin Henning
> <Dustin.Henning@xxxxxxxxxxx>wrote:
> >        In case it is relevant, I simply allow all traffic to traverse
> > the forwarding chain when it is headed to a bridged destination.  I
> > then simply run a firewall on dom0 and each domU as if they were all
> > individual machines.  This seems to me like the way to go short of
> > doing something more drastic with hardware isolation, but as a lot of
> > people prefer to have much more complex firewall setups, it is
> > certainly likely that at least some of them have good reason.
> >         Dustin
> Keep in mind that this method means you'll be managing multiple
> firewalls. In my case it would be about 30 firewalls total. By separating
> the internal private network from the real network you can run with one
> firewall. However, having said that you can only forward each outside
> port to one port on one domU. This means if you have multiple web servers
> you can't forward the external port 80 to more than one internal possibly
> making it messy for external clients accessing the virtual machines by
> requiring them to access services on non-standard ports. In my setup this
> is fine because I only forward one port anyway (ssh) to allow remote
> logins.

You can always use 1:1 NAT between a public IP and a private IP, for each 
domU.  There's nothing that forces you to use a single IP for the firewalled 


Xen-users mailing list