WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Remote management of DomU

On Friday 23 December 2005 07:03, John A. Sullivan III wrote:
> Just as a suggestion, I always cringe to put any device other than a
> firewall directly on the Internet with public IPs especially a domU just

In my case, I have a DomU acting as my firewall :-)

To do remote management of the Dom0, I took rupi's suggestion and created a 
third bridge on my Dom0, but gave it an IP.  I then exported the bridge to my 
firewall domU where it became a 4th interface, "eth3".  I then gave this new 
interface on the firewall an IP on the same subnet  as the "administrative" 
bridge I createdon Dom0, and now I can ssh into the Dom0 from the firewall 
domU.

My configuration now looks like this:

On Dom0 (Debian Sarge):

/etc/internet/interfaces
auto br-lan0 br-dmz0 br-adm0
# LAN bridge
interface br-lan0 inet manual
    bridge_ports eth0

# DMZ bridge
interface br-dmz0 inet manual
    bridge_ports eth1

# Administration bridge
interface br-adm0 inet static
    address 10.253.3.2
    netmask 255.255.255.0
    bridge_ports dummy0


/etc/xen/01_fw01
...
nics = 3
vif = [
          'mac=aa:00:00:11:e2:d1,bridge=br-lan0',
          'mac=aa:00:00:11:e2:d2,bridge=br-dmz0',
          'mac=aa:00:00:11:e2:d3,bridge=br-adm0'
          ]
...


And on the firewall DomU, I just simply configure networking as I normally 
would (using the OS's networking config files; I use Mandriva in this case)

    eth0 -> Internet interface, gets IP from ISP (also a physical interface 
hidden from Dom0)
    eth1 -> LAN interface, 10.253.1.1
    eth2 -> DMZ interface, 10.253.2.1
    eth3 -> administrative interface for Dom0, 10.253.3.1

and so far it all works rather nicely.  The firewall DomU of course has 
restrictive firewall rules on it about what is allowed to access Dom0 from 
the network

I hope this can help someone else out.  I am in the process of writing a 
"recipe" for my setup and will likely post it once done, but I am not sure on 
its ETA.  Everything I did was pretty much pieced together form other posts 
on the list as well as helpful advice from others.

-Alan

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>