This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Network Interface Problems for DomU Firewall

On Sat, Aug 1, 2009 at 1:54 AM, Tom
Jensen<tom.jensen@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> As I mentioned before, my ultimate goal is to configure a standard three
> interface firewall within the DomU.  Most of the information I have found
> on the subject suggests the most secure way to accomplish this is to
> dedicate the interface connected to the Internet to the DomU using PCI
> passthrough.

It depends on how you define "secure" :)

> The other two interfaces (DMZ & LAN) would be virtual
> interfaces bridged to the Dom0.  I am open to other concepts for creating
> a firewall DomU if anyone cares to share their configurations.

In my setup, in terms of networking I look at dom0 as an L2 switch. It
has one or more uplink trunk interfaces (the physical interface),
several access or trunk downlink interfaces (the bridges and domU
interfaces), and (optionally) one dedicated management link with a
management IP. So for the internet link I simply create another bridge
on dom0, but without an IP address. This is similar to the way an L2
switch can have a vlan containing internet traffic, but the switch
itself does not have a public IP address.

I find this setup easier to manage (since it's similar to a real
physical setup), plus I'm not limited to the number of physical
interface on dom0.


Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>