On Wed, Nov 15, 2006 at 02:25:52PM +0200, Anzi wrote:
> Hi,
> 
> What is the best way to use xen so that dom0 (netbsd3.1) machine has 
> several network cards and only on "managent interface". I mean that 
> DomU:s may be on the dmz zone and dom0 is on the internal network? I 
> think that it is possible with exporting nics as pci devices but is this 
> operational yet?

This is possible with Xen-2 (I've not looked at this for Xen-3), but
from a security POW your domU has the same powers as your dom0 (can access
the whole memory though the DMA engine of the cards).

> 
> Anybody has has better ideas?
> 
> I currently assigned and public-ip address for DOM0 and DOMU and used 
> standard network-bridge vif. This has the downside that dom0 is then 
> also publicly available (they are behind firewall).
> DomU is an Fedora Core 6

You don't have to put an IP on an interface to be able to bridge it, you can
just make it up. I would still recommend setting up a ipf.conf and ipf6.conf
to make sure dom0 won't get IP traffic from this interface though.

-- 
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
     NetBSD: 26 ans d'experience feront toujours la difference
--