| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Managed Firewall
Jonathan Tripathy wrote:
Once I roll out my Xen VPS hosting solution, I wish to provide a
"managed firewall" service to my customers. What I wish to do is to
use my firewall (which will sit on the edge between the ISP WAN and
my VM's LAN) to filter traffic between the WAN and the LAN VMs (this
is easy), as well as filter between the VMs.
Now, this "firewall" will actually be a "filtering bridge" as the
VMs will be using public IPs, so the firewall's WAN and LAN
interfaces will be bridged together. My question is, how can I
"force" all traffic from each VM host to go back out via the
firewall? Is it just a matter of using iptables/ebtable in the
bridge in the Dom0 to make sure that the vifs can only communicate
with the physical interface (which will be connected to the
firewall) ?
For this to work, each VM must attach to a different "port" of your
firewall. If the firewall were a VM on the same host then you could
create a bridge per VM and connect them all to the firewall VM. But
since as I read it you are using an external box, then you would need
to use either a lot of real NICs, or more efficiently, use a VLAN per
VM and trunk them to the switch.
If you just use one virtual switch (bridge) and connect multiple VMs
to it, then you are correct in saying the switch will simply forward
the packets directly between the VMs.
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home