Le 20/12/2010 23:45, dave a écrit :
>> As far as I have seen, there are no way to attach domU nic directly to
>> my firewall domU. So, dom0 will always have access to network traffic
>> from domU, right ?
> only if you add dom0 interface to bridge. for example:
> domu-2 : tap2 --|
> domu-1 : tap1 --|
> domu-fw : tapfw --|
> dom0 : tap0 --|
> so only do
> brctl addif tap-br0 tap0
> when dom0 needs to join the LAN, then
> brctl delif tap-br0 tap0
> when you want dom0 to leave the LAN.
> Again, I'm not sure if this is what you're trying to do, but it will
> isolate dom0 from your virtual LAN.
I understand what you mean. But even if dom0 has no interface bridged, I
think I'll be able to listen to network traffic, no ?
That is, a tcpdump -i tap-br0 will display network traffic from domU,
Then, what if I want to block that ? Will I have to use VPN (either SSL
or IPSEC) in order to make dom0 unable to listen for traffic ? Is it
I want to mitigate consequences if dom0 get compromised, that's why I'm
trying to isolate network.
Thanks for all explanations, I've many things to test now :)
Xen-users mailing list