port-xen: Re: Re: firewall in domU, bridging or hiding interfaces

Subject: Re: Re: firewall in domU, bridging or hiding interfaces
To: Greg Troxel <gdt@ir.bbn.com>
From: Joel CARNAT <joel@carnat.net>
List: port-xen
Date: 04/22/2006 00:52:53

--6c2NcOVqGQ03X4Wi
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Apr 21 2006 - 08:31, Greg Troxel wrote:
> Joel CARNAT <joel@carnat.net> writes:
>=20
> > - hide ex1 to dom0 and export it do domU/FW
> > - bridge ex1 from dom0 (without an IP) to domU/FW (with an IP)
>=20
> Both should work.  But, I suspect bridging will be less grief over
> time and upgrades.
>=20

OK but what about security? I suppose bridging makes dom0 aware of
the traffic and vulnerable to some <whatever-attack>, no ?

For the challenge, I tried hiding one of my 3COM but it doesn't work :(
# pcictl pci0 list
=2E..
000:09:0: 3Com 3c905C-TX 10/100 Ethernet with mngmt (ethernet network, revi=
sion 0x6c)
000:11:0: 3Com 3c905C-TX 10/100 Ethernet with mngmt (ethernet network, revi=
sion 0x6c)
000:13:0: 3Com 3c905B-TX 10/100 Ethernet (ethernet network, revision 0x30)
# grep hide /grub/menu.lst=20
kernel (hd0,0,a)/usr/pkg/xen-kernel/xen.gz dom0_mem=3D131072 com1=3D9600,8n=
1 physdev_dom0_hide=3D'(00:0D.0)'

but dom0 still sees the 3 cards...
what did I miss ?

TIA,
	Jo

--6c2NcOVqGQ03X4Wi
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (NetBSD)

iD8DBQFESWJF0/VH7L7F7Y4RAlaJAJ9FVpIbb/6ZiY3x/U3+4JVGAKPhoACfTrAJ
6DjNV49f2mqMswNzYG/ANXs=
=tCRH
-----END PGP SIGNATURE-----

--6c2NcOVqGQ03X4Wi--