WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] How to setup my Xen network?

To: lists@xxxxxxxxxxxxx
Subject: Re: [Xen-users] How to setup my Xen network?
From: Mike Wright <mike.wright@xxxxxxxxxxxxxx>
Date: Mon, 20 Oct 2008 13:49:39 -0700
Cc: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 20 Oct 2008 13:50:25 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <27133572.1151224505500360.JavaMail.root@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <27133572.1151224505500360.JavaMail.root@xxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.2-6 (X11/20050513)
lists@xxxxxxxxxxxxx wrote:
Hi all,

I have several servers I'd like to consolidate to Xen 3.2 and I am having a bit 
of trouble with firewalls and the best network environment to chose from.  I 
have read documentation here and there but I am a bit confused now and after 
some advice or specific documentation.

1/ I'd like the following but have had problems getting ut to work with a 
firewall on Dom0


                                |-> Dom1 (10.0.0.10) - Mail
WAN <-----> eth0 Dom0 <---------|-> Dom2 (10.0.0.10) - Web
        (87.98.252.205)         |-> Dom3 (10.0.0.10) - Web

Where Dom0 is the firewall and DomUs are natted.  Dom0 would have a web proxy 
to redirect http to the right server.  I tried getting this to work with 
shorewall but it's a no go.  Has someone managed this setup with a proper 
firewall in place?

2/ Second option would be to use a bridge but I'm not sure the following would 
work

          |-> Dom0 87.98.252.205 - (Restricted)
          |-> Dom1 98.12.113.200 - Mail
WAN <-----|-> Dom2 99.130.15.200 - Web
          |-> Dom3 85.99.120.113 - Web

Can I have a bridge with public IPs in completely different ranges?

3/ Last but not least is a theory I found about putting the Dom1 as the 
firewall, locking out Dom0 for security reason and have the whole environment 
natted.  If this would work for me, is there any documentation?  I see threads 
and attempts but no real documentation on how this is done.

Many thanks for any help you can provide.  Like I said, pointers to good 
documentation is more than welcome!

Hi, eco!

Here is a link to a setup I built back in '06. I don't claim that it's *good* documentation.

  http://www.hostisimo.com/xen-howto.html

It uses xen-3.0.2 so some things have certainly changed but this may serve as a basis for your efforts.

Because it is in a controlled access environment and at times I need to hang physical boxes onto the various bridges I used three physical NICs. In your case you would only need the WAN to be physical; the DMZ would use a tap device for the bridge.

Chop off what you don't need and use what you do.

I hope you have as much fun as I did getting all the pieces to work together.

nb: this doc resides on a low bandwith adsl connection so access may not be too zippy.

hth,
Mike Wright :m)

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users