> On Thu, Jan 30, 2014 at 5:21 PM, Thomas Huber <miraculli at gmail.com> wrote: > > > Hi out there, > > > > is it a good idea to setup a kind of virtual router inside a LXC? > > I got a server with dual 1Gbit Nic and the server should run several > > services. > > I also would like to use it as a router and a thought it would be quite > > nice to set it up inside a LXC by mapping the WAN-port with > > "lxc.network.type = phys" to the Container. > > > > first of all: is this a good idea? > > > > > I suggest you try it, and see if it works for your case. > > In my case, I tested using phys for a while on a container for a somewhat > busy webserver. It worked fine initially, but the problem came when I > shutdown the container. The container is gone, but the interface was not > visible on the host again. Which makes it impossible to restart container. > > I ended up reverting to veth instead. Using that same container, the veth > (on the host side) was not deleted when the container was destroyed, but I > can force-destroy it using "ip link del" and "lxc.network.script.down". > > > > > second: is it possible > > > possible, yes. As long as the needed iptables modules are already loaded on > the host side. > > > > to do all the firewalling inside the LXC or is it better (more secure) to > > do this at the host? > > > > > That is what I usually do. > > -- > FAN
Thanks for your reply… so you think, it´s no problem to map the WAN-port as „veth" just to avoid misunderstanding, you usually do what? Run the firewall inside LXC or on the host. — mirac
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
