Darren Thompson wrote: > Madison et al (sorry I did not realise Kelly was > your surname ;-) > > To provide increased protection for you Dom0s, what you can do is > configure the last bridge (br2) (e.g. the one that your VM will be > attaching to), as a "bind bridge". > > By that I mean remove the IP address from the ethernet port and the > Bridge. The bridge is a layer 2 device so does not need an IP address to > function and it adds one more layer of isolation between the Internet > and your Dom0 servers. > > I currently use this style for some Internet facing servers myself and > so far (touch wood) no one has yet managed to comprise any of my Dom0 > servers, and I'm sure that brighter minds than mine have tried... :-) > > The down side of that is that the VM's will not be able to communicate > with the Dom0 servers (except through an external router/firewall). You > can still access the VMs consoles through 'virt-manager' as it sets up > some sort of VNC proxy port. > > Again > > I hope this helps > > Darren
No worries about the name, I've gotten used to answering both Madi and Kelly. :P I think I am doing the same thing, if I understand what you are suggesting. Being that peth2 is polluted with the internet, dom0's eth2 has no IP (nor the bridge). The only device with IPs on the Internet-facing bridge is my firewall's 'eth1' (connected to xenbr2). Then a firewall protects connections to all other VMs, inc. dom0s. Is this this indeed what you are doing? I've not worried about direct access because, should anything go very wrong, I can always log into the office's internal network and get at the nodes via IPMI. Anywho, if I misunderstood, let me know. If I am doing the same, then cool. As they say, geniuses think alike and fools seldom differ. :D Cheers! Madi _______________________________________________ Openais mailing list [email protected] https://lists.linux-foundation.org/mailman/listinfo/openais
