WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] Isolated network




-----Original Message-----
From: Jeff Sturm [mailto:jeff.sturm@xxxxxxxxxx]
Sent: Fri 04/06/2010 17:24
To: Jonathan Tripathy; Xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Isolated network

>>> Sorry, I think I worded my post wrong. What I meant was is there a
way
>>> to make sure that the DomUs can't access the Dom0, i.e. so they
>>> are on an isolated network. By default in virt-manager, the Dom0
>>> gets attached to each bridge created...

>> Simply don't assign an IP to the bridge device in your dom0.

> And this is secure? Could I make it any better by using ebtables or
anything like that?

You may want to do other things like disable IP forwarding and make sure
there's nothing else on your network that will route from your domU to
your dom0 network.  If your dom0 doesn't have separate physical
interfaces, creating VLANs to segregate the networks is helpful.

I can't say whether this is bulletproof, since I don't follow much
research on Xen security.  But it's a starting point, and the one I
would choose.

-Jeff

-------------------------------------------
Disabling forwarding is a good idea indeed.

Bit confused about about the physical interface thing. All my physical interfaces will be passed through to a "firewall DomU", and it was my intention to just create a separate bridge with which the Dom0 would communicate with the firewall. Then there would be another bridge with which the other DomUs would communicate with the firewall.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>