tupshin at tupshin
Apr 3, 2005, 6:07 PM
Post #2 of 6
William (Andy) Smith wrote:
>One particularly nasty thought is to have Host 1 and Host 2 each serve
>'firewall' guest domains. We have one routing IP outside of our 'public' IP
>network, and our provider will allow us a second routing IP. I would need to
>prove the theory that I can isolate the NIC device and its traffic from
>Domain 0 and all other domains in a firewall application.
I can attest that this works quite well. I have a domU acting as a
router/firewall, and aside from having to hack the bridging script to
support 3 nics, it worked without a problem.
The machine has 3 nics (internet, dmz, internal), and the dom0 boots up
with an IP address only on the internal nic (eth1, eth2, xen-br1, and
xen-br2 are all "up", but with no address assigned. The router domU is
given access to all 3 nics:
vif = [ 'mac=cc:cc:cc:cc:cc:19, bridge=xen-br0', 'mac=cc:cc:cc:cc:cc:20,
bridge=xen-br1', 'mac=cc:cc:cc:cc:cc:21, bridge=xen-br2' ]
while all the other domU's are only given access to the dmz nic. The
router domU then runs pppoe (for DSL), and standard iptables natting and
routing using the shorewall package, though any iptables based routing
approach should work fine.
This has been working quite stably for me for a while, starting with xen
2.0.4, then 2.0.5, and right now, unstable 3.0 as of a week or so ago.
Let me know (on or off list) if you have any questions about this setup.
Xen-users mailing list
Xen-users [at] lists