On Sun, 2008-07-13 at 23:06 -0400, Christopher
> On Sat, Jul 12, 2008 at 11:44 PM, Christopher Isip <cmisip@xxxxxxxxx
> I am going to try to create a domU webserver. My current
> setup is dom0 running Centos 5.1 with two ethernet
> One is pcibacked to a asterisk domU ( and hence invisible
> dom0 )and serves as the external interface there. The
> Asterisk domU is my gateway to the internet, default route,
> dhcpd server, dns server and ip masquerade server as well.
> The second interface in dom0 is the bridged interface to
> all the domUs are connected (including the Asterisk domU).
> Everything seems to be working fine. I have a simple two
> interface shorewall configuration in the Asterisk domU.
> My plan is to create a webserver domU and have shorewall
> in it as well. The domU will have default drop policies
> all incoming and outgoing connections. There will be a
> to allow incoming ssh and outgoing ssh. There will be a
> for allowing incoming http as well. The webserver domU will
> only have one interface, and that is the bridged interface
> from domO.
> In the Asterisk domU, I can write a DNAT rule to port
> http connections from the internet to the webserver domU.
> It seems that this should work If xen domUs really behave
> if they are independent LAN hosts which so far they have
> setup. My only question is how secure is this?. Incoming
> connections from the internet for http port will be
> to a bridged interface. Or maybe this is where things will
> Anybody care to comment?
> I just realized that iptables on a dmz is useless. If an attacker
> gains access, the iptables rules could be rewritten and the dmz
> be used to access the network. Rather the other hosts need to have
> default rejectd policies for the DMZ host. But I would rather not
> implement a firewall for each of the other hosts. My thinking is
> perhaps I should not give the DMZ host a vif interface that is
> to a physical ethernet device. If its possible to create a bridge
> interface without any physical ethernet cards attached to it, I
> then present vif1 to the Asterisk domU and vif2 to the DMZ and have
> the Asterisk domU be the gateway to the rest of the lan and domUs.
> would simply convert to a three interface shorewall configuration
> the Asterisk domU with one interface net, the other local and the
> third DMZ.