Hi
Thank you for your reply.
I was just thinking it might be too complicated to define zones, policies
and rules if i am to do firewalling at the Dom 0 level. It would be too
complex as I have six network cards and six ethernet bridges at the Dom 0
level.
Just to confirm your point #2:
Dom 0 - eth0 / xenbr0 only - eth0 configured as 192.168.1.1 for management
purposes. This will be the only interface for Dom 0. Firewalling in Dom 0 is
only for eth0. Perhaps open ports for ssh only.
eth1 / xenbr1 - no IP address configured in Dom 0 - reserved for virtual
machine Dom 1
eth2 / xenbr2 - no IP address configured in Dom 0 - reserved for virtual
machine Dom 2
eth3 / xenbr3 - no IP address configured in Dom 0 - reserved for virtual
machine Dom 3
eth4 / xenbr4 - no IP address configured in Dom 0 - reserved for virtual
machine Dom 4
eth5 / xenbr5 - no IP address configured in Dom 0 - reserved for virtual
machine Dom 5
Thus I will configure IP address for the virtual eth0 inside virtual
machines and do firewalling for eth0 inside VMs.
Hope I understood correctly.
When I configured Dom 1 as 192.168.1.2/255.255.255.0, I couldn't ping Dom 1
from Dom 0. Similarly, I could not ping Dom 0 from Dom 1. I get Destination
Host Unreachable error messages. Any fix?
Thank you.
On 7/30/07, Simon Hobson <[EMAIL PROTECTED]> wrote:
>
> Teo En Ming wrote:
>
> >I have a 64-bit server running RHEL 5 x86-84 Xen Virtualization.
> >There are 6 NICs in this Xen Host.
> >
> >The interface names in Dom 0 are:
> >
> >eth0 - xenbr0 - reserved for Dom 0 Host Management Administration
> >eth1 - xenbr1 - reserved for Virtual Machine #1
> >eth2 - xenbr2 - reserved for Virtual Machine #2
> >eth3 - xenbr3 - reserved for Virtual Machine #3
> >eth4 - xenbr4 - reserved for Virtual Machine #4
> >eth5 - xenbr5 - reserved for Virtual Machine #5
> >
> >How should I configure shorewall in this case of multiple nics, each
> >nic being dedicated to a Virtual Machine?
>
> You have two main options :
>
> 1) You could run shorewall in the Dom-0 and configure policies/rules
> as required.
>
> 2) You don't bother trying to filter at the Dom-0 bridge level, but
> instead run Shorewall on each VM - and that simply means using the
> single interface config examples. Each VM will simply have a single
> 'eth0' and the single interface config examples should work without
> modification.
>
> I would do the latter, it's far easier to set up, plus your
> firewalling is configured per VM and it's easier than keeping track
> of firewall rules running on a 'machine' that is different to the
> machine the services are hosted on.
>
> As for protecting the Dom-0, you can again run Shorewall and follow
> the single interface examples - just using eth0 and not assigning IP
> addresses to any of the vif0.n interfaces.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
