WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Re: Creating a DMZ domU

To: "Jeroen Torrekens" <jeroen.torrekens@xxxxxxxxxxx>
Subject: Re: [Xen-users] Re: Creating a DMZ domU
From: "Christopher Isip" <cmisip@xxxxxxxxx>
Date: Wed, 16 Jul 2008 07:19:21 -0400
Cc: "John A. Sullivan III" <jsullivan@xxxxxxxxxxxxxxxxxxx>, xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 16 Jul 2008 04:19:55 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=Kbd3q9QhYSg4BgyVjPQWooDyb6gAAUjDiov7LZolYm8=; b=vffKfH0pWyI6G9AFoYNlYZ+dwgQ27d9Ca3Sx9V1y3SJSGC6kubzOu2R0HLR+m2E3XK xY6e3RJb6y+IMryfLUT9bgdUufYMLDe5RHlDduDfaTTZlY4HLaeUDF4JJerbJ2Pr8nxU Meevhyl20wesc/bn9rL7+NfPwIeEOnULClJhs=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=YgauXsN/ONQGHguNhSmaFTj9hEDevOaI/CShuQUCaaibPP0rR8gXykRPB2h4GAb6Gx Dqla+5ggdJwrBeklMR5L5c9H5h/LajAof0pBqCzqlaSVU2t5ZFJv+6fDT6Vozzd3npqG hw+xcKfY8iqZm/G59sDFGS4z2e/IAOrkKU6p0=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <487DAFD6.504@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4bca5f6c0807122044k5cb40137pb2cec30631f2a6e2@xxxxxxxxxxxxxx> <4bca5f6c0807132006m2198486dtc44482ca7ab1449a@xxxxxxxxxxxxxx> <1216031074.7629.9.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <4bca5f6c0807151557t3f2533f2i1d5438c2f929fa37@xxxxxxxxxxxxxx> <487DAFD6.504@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx



Normally not. There is no way for the 'outside' network to address your dom0 machine. If it does not have an IP address on the external bridge that is

If the dmz is compromised though, the attacker would have access to the dmz bridge and all hosts connected to it right?.  This should exclude dom0 since there is no interface in dom0 attached to the dmz bridge (xenbrD).  Is this correct?


[root@mymainserver ~]# brctl show
bridge name    bridge id        STP enabled    interfaces
eth0        8000.00146c30c25a    no        vif8.0
                            vif7.0
                            vif6.0
                            vif5.0
                            vif4.0
                            vif3.0
                            vif2.0
                            vif1.0
                            peth0
virbr0        8000.000000000000    yes       
xenbrD        8000.feffffffffff    no        vif11.0
                            vif2.1

I believe in the above vif1.0 is probably attached to the asterisk domU while vif2.1 is to the dmz domU though I dont know how to check for sure.  I did not manually enslave a dom0 interface to the xenbrD bridge when I created it.

Thanks
Chris



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>