[Xen-users] confused: How to put packetfilter into domU and isol

To:	xen-users@xxxxxxxxxxxxxxxxxxx
Subject:	[Xen-users] confused: How to put packetfilter into domU and isolate dom0 completely?
From:	Carsten Aulbert <carsten@xxxxxxxxxxxxxxxx>
Date:	Tue, 27 Mar 2007 12:31:22 +0200
Delivery-date:	Tue, 27 Mar 2007 03:31:13 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070306 Thunderbird/1.5.0.10 Mnenhy/0.7.5.666

Hi,

after two days of harvesting the web and the mailing list archive I am
completely lost and confused. The set-up I want to achieve is not that
complex, but killing me right now. I'll try to make the description as
short a possible:

I have set-up a small Ubuntu feisty Xen installation, I can create domU
via debootstrap and they are all running fine, especially with the
default xenbr0 every domU gets its IP via dhcp from the local network.
However, I want to reinstall everything "in the wild" with slightly
different needs.

I have got a single server with a single external IP. My dream is to
set-up a totally isolated dom0, where I can enter only via a remote
serial console or open ssh whenever there is need. Otherwise dom0 should
not do anything except managing the domUs. The remaining domU should be
dedicated to certain tasks (web, email, users, etc) and one domU (say
dom1) should do the firewalling, SNAT/DNAT stuff. Let me try some crude
aart:

Internet (public IP)
         |
        eth0(physical)
         |
       brextern?
         |
      dom1/eth0
         |
       brintern
         |
  +------+------+
  |      |      |
 dom2   dom3   dom0(from time to time)

My questions now are (if this piece of art is understandable):

Shall I
(1) Use two bridges (brextern, brintern) or
(2) delegate the physical interface to dom1

If (1)
right now I'm playing around with hard coded brctl/ip/ifup codes without
the fancy network-bridge script. My current problem is, eth0 is still
visible from dom0 and I cannot get rid off it. Maybe I'm stopped by not
understanding the peth0 and veth0 business here.
Anyone can tell me roughly how to achieve a solution here?

If (2)
How can I delegate the physical interface to dom1? I've looked around,
but only found pages where this is mentioned, but not done. Anyone can
give me the correct words to use in search engines? I've seen
pciback.hide for the dom0 kernel, but how can I make certain that the
filtering domU will get that card?

Thanks for any possible help, and sorry if I confuse you as well :)

Cheers

Carsten

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

WARNING - OLD ARCHIVES

xen-users

[Xen-users] confused: How to put packetfilter into domU and isolate dom0