Subject: firewall in domU, bridging or hiding interfaces
To: NetBSD/xen <port-xen@NetBSD.org>
From: Joel CARNAT <joel@carnat.net>
List: port-xen
Date: 04/20/2006 21:51:41
--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
I'm looking at re-building my home-LAN into a one Xen server
architecture. I plan to do something like "Option B" as described in
http://lists.xensource.com/archives/html/xen-users/2005-08/msg00315.html
My question is about securing the "public/Internet" interface.
My xen dom0 has ex0 and ex1 ; ex0 being configured as the "internal/LAN"
interface ; ex1 is not configured yet but is supposed to be plugged to
my ADSL router. Is it better to:
- hide ex1 to dom0 and export it do domU/FW
- bridge ex1 from dom0 (without an IP) to domU/FW (with an IP)
I suspect solution (2) makes dom0 being able to see traffic from/to
Internet so it has to protect him-self with pf/ipf. When choosing
solution (1), paquet filtering only has to be done into domU/FW (to
filter traffic from Internet to my LAN), right ?
I'm just not sure to understand how to achieve physical interface
seperation between domU/FW and (dom0 and the rest of domUs).
TIA,
Jo
--=20
NetBSD brought my daemons to the Sun (c)
--EVF5PPMfhYS0aIcm
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (NetBSD)
iD8DBQFER+ZN0/VH7L7F7Y4RAru8AJ4yY6pjoIg1LvZvMY40YUBhxW8ADACeJGL6
BY4jK15Gkg/YMExWGs/I1Y8=
=bbjg
-----END PGP SIGNATURE-----
--EVF5PPMfhYS0aIcm--