--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

I'm looking at re-building my home-LAN into a one Xen server
architecture. I plan to do something like "Option B" as described in
http://lists.xensource.com/archives/html/xen-users/2005-08/msg00315.html

My question is about securing the "public/Internet" interface.
My xen dom0 has ex0 and ex1 ; ex0 being configured as the "internal/LAN"
interface ; ex1 is not configured yet but is supposed to be plugged to
my ADSL router. Is it better to:
- hide ex1 to dom0 and export it do domU/FW
- bridge ex1 from dom0 (without an IP) to domU/FW (with an IP)

I suspect solution (2) makes dom0 being able to see traffic from/to
Internet so it has to protect him-self with pf/ipf. When choosing
solution (1), paquet filtering only has to be done into domU/FW (to
filter traffic from Internet to my LAN), right ?

I'm just not sure to understand how to achieve physical interface
seperation between domU/FW and (dom0 and the rest of domUs).

TIA,
	Jo
--=20
NetBSD brought my daemons to the Sun (c)

--EVF5PPMfhYS0aIcm
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (NetBSD)

iD8DBQFER+ZN0/VH7L7F7Y4RAru8AJ4yY6pjoIg1LvZvMY40YUBhxW8ADACeJGL6
BY4jK15Gkg/YMExWGs/I1Y8=
=bbjg
-----END PGP SIGNATURE-----

--EVF5PPMfhYS0aIcm--