This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Firewalling Xen?

To: Andris <andris@xxxxxxxx>
Subject: Re: [Xen-users] Firewalling Xen?
From: "Grant McWilliams" <grantmasterflash@xxxxxxxxx>
Date: Wed, 17 Dec 2008 01:24:40 -0800
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 17 Dec 2008 01:25:20 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=ceS8IfxOuIqJGvG/tEylQvp5Ln2VRhf9Urqo+yKfVzk=; b=W3IENMYKkT6eJvRnCPbmmUyuQGzK4HiUs7xqjytPrGi7xK4gyrxQJLqiS3rJNOWmsK EnREJCxbjIuGU2qb+C8PJt6u0g88yYQy7yQKoe+rOrcF/myJT6umdsxmS8WHKpWoQ79f dDBo38N0/pBnGtCa5z1JdOTlwJGADONJ66qxk=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=B24lOGtYzIAAxyuC4evNa1kgTTyeELP164GcQfWgG9VE4L7gOuiRy5EdfiHcWA43/Z s7n5BV1afKZDCClCW359jaApVgBjI4M0U5TTtWh86F9FOyZ+oX1IpJJqi2UcTVKY+5AO 53uP83924tKfQ1H1mdPJxRM5Wd2NLf+Jb5Tro=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4948B30D.8000100@xxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <849236.96732.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <4948B30D.8000100@xxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx

On Wed, Dec 17, 2008 at 12:06 AM, Andris <andris@xxxxxxxx> wrote:

I set up my servers this way and prefer it as most flexible solution for me.

Dom0 (no firewall, firewalled externaly by ISP's firewall) - independent host machine, no special setup for easy replacement if fails
DomU1 (Dedicated shorewall firewall machine doing nat, load balancing, proxying etc.  for another DomU's in virtual LAN)
DomU'sX (all inside LAN, behind DomU1 firewall)
DomU'sY (proxyarped in DMZ zone, looks like standalone machines from internet)

So everything is bridged (NET,LAN,DMZ bridges)

Very flexsible, I can replace any component and my DomU's are not binded to Dom0. I can move DomUs easily whithin my Dom0us.


So you have the DomU1's IP address exposed to the outside and then have one of it's network interfaces on the internal private networks bridge? I'd assume this means that the DomU1's other network interface would be added to the eth0 bridge that peth0 resides on? I'm not sure I like the idea of Dom0 sitting there unprotected. Let's not forget that if another machine anywhere on the real network were exploited the Dom0 is a sitting duck. The consequences of Dom0 falling are huge.. You could just keep it that same way and put a firewall on Dom0 anyway because what do you really want to allow in since the router is really DomU1?

I was thinking though of having the traffic come in eth0 and have Dom0's firewall forward everything to the first DomU which would then do all the real filtering and NAT. I only have one external IP address to use. I'm a bit worried about speed though since I'm filtering everything twice.

Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>