WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Firewalling Xen?

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Firewalling Xen?
From: Andris <andris@xxxxxxxx>
Date: Wed, 17 Dec 2008 10:06:37 +0200
Delivery-date: Wed, 17 Dec 2008 00:07:23 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <849236.96732.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <849236.96732.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.18 (X11/20081119)
Hi!

I set up my servers this way and prefer it as most flexible solution for me.

Dom0 (no firewall, firewalled externaly by ISP's firewall) - independent host machine, no special setup for easy replacement if fails DomU1 (Dedicated shorewall firewall machine doing nat, load balancing, proxying etc. for another DomU's in virtual LAN)
DomU'sX (all inside LAN, behind DomU1 firewall)
DomU'sY (proxyarped in DMZ zone, looks like standalone machines from internet)

So everything is bridged (NET,LAN,DMZ bridges)

Very flexsible, I can replace any component and my DomU's are not binded to Dom0. I can move DomUs easily whithin my Dom0us.



andris


Stephen Liu wrote:
--- Grant McWilliams <grantmasterflash@xxxxxxxxx> wrote:

Grant McWilliams

Some people, when confronted with a problem, think "I know, I'll use
Windows."
Now they have two problems.



On Tue, Dec 16, 2008 at 9:01 AM, Thomas Goirand <thomas@xxxxxxxxxx>
wrote:

lists@xxxxxxxxxxxxx wrote:
I'm wondering how to setup a firewall for Dom0 when all traffic
for the
DomUs go 'through' it.

Hi,

as we do commercial VPS hosting with xen and our own open source
management interface, we have designed a small anti-DoS firewall to
setup in your dom0. It does nothing spectacular, but it helps
against
ssh dictionary attacks, and other very common flood types that
might
hurt your server: ping, syn, etc.



http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen.init;h=5e4df2e46e3a872a2d73ada77e24e8bb242f8b6b;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa
I'd be happy to have contributions in this small script that is by
the
way very simple to extend (just add few functions for yourself and
share, then anybody can enable/disable them with ease.

Thomas


Don't you mean this ;-)


http://git.gplhost.com/gitweb/?p=dtc-xen.git;a=blob;f=debian/dtc-xen-firewall.init;h=16139921d6efd6fc2e407f7d80b11fae97befdf9;hb=a75a32b23d6dde71dc684045b3c2e7051c30e6fa
A bit off topic but can dtc-xen control it's users in a way that you
can
assign an admin per VM? What I'm looking for is to have each student
manage
his and only his domU.

Grant McWilliams


Hi folks,


Just came across this thread.  The setup of the Xen box here is as
follows;


DomO - a workstation for remote setup/config DomU
DomU1 - mail server for routing (headless)
DomU2 - mail server for domain1 (headless)
DomU3 - mail server for domain2 (headless)
DomU4 - mail server for domain3 (headless)
etc.


Firewall is only running on domU1.  I'm running virtual domains, with
all domains pointing at the same public IP (one public IP).  All ports
on router are forwarded to the local IP of DomU1.  Do I need to have
firewall installed on each DomU?  TIA


B.R.
Stephen L

Send instant messages to your online friends http://uk.messenger.yahoo.com
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>