WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] DomU firewalling

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] DomU firewalling
From: Carles Fragoso i Mariscal <cfragoso@xxxxxxxx>
Date: Mon, 10 Apr 2006 16:32:25 +0200
Delivery-date: Mon, 10 Apr 2006 07:32:33 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Openpgp: id=0E4EDE07
Organization: CESCA
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Debian Thunderbird 1.0.6 (X11/20050802)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello everyone!

I am testing an environment with N debian-based DomU's where each of
them could be managed by diferent sysadmins. So I decided to deploy two
additional DomU's for firewalling and provide proxy-based services for
the rest of DomU's. The main reason is to provide granular access
control (perimeter protection and limit interference between DomU's)
withouth using Dom0.

The IP address space is a /24 so the firewall (iptables) should work as
a bridge. The proxy-DomU will be located on a DMZ-leg of the firewall-DomU.

I have seen that each DomU is limited to 3 interfaces. My question is:
Is there any way to overcome this limitation or at least to deal
individually (point-to-point) with each DomU from the firewall-DomU
point of view?

I would really appreaciate any comments and experiences regarding this
kind of approach or similare ones.

Thanks a lot in advance, keep up with the good work! :)

......................................................................
         __
        / /          Carles Fragoso i Mariscal
  C E / S / C A      Tècnic de seguretat
      /_/            Centre de Supercomputació de Catalunya

  Gran Capità, 2-4 (Edifici Nexus) - 08034 Barcelona
  T. 93 205 6464 - F.  93 205 6979 - cfragoso@xxxxxxxx
......................................................................
pgp:0x0E4EDE07 - 335C CB9F 84E8 85E9 A62B  EF3A 102F 01FF 0E4E DE07
ripe: AS13041  - CFM1-RIPE / iNOC-dba: 13041*CFM
......................................................................
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEOmx5EC8B/w5O3gcRAmsCAJ4986cbaflBZOHUDa2gbpIF83iV0gCgqcb4
jf1qxbTnL/KZ4xpgvwnKbqo=
=Nh5H
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] DomU firewalling, Carles Fragoso i Mariscal <=