----- "Simon Hobson" <[EMAIL PROTECTED]> wrote: > >Shows I still have a lot to learn about Xen. Am I right in thinking > > >your setup will still only allow one DomU to use the public IP? > > Correct - but see below. > > >I went over the Tom's documentation again and I see that although > >eth0 has several public IPs, both DomUs (eth3/4) are using the same > >public IP (206.124.146.176). Won't this setup allow multiple DomUs > >to share a single public IP? > > Port forwarding and/or proxy arp. IIRC, in Tom's current setup, he > uses proxy-arp to pass-through certain IPs to machines behind the > router. In the case where you only have one public address, then you > will need to 'port forward' certain traffic to certain hosts - see > DNAT. > > >What is the difference between a "Hardware nat" and Xen-natted that > >makes it impossible to firewall? > > Not sure what you mean by 'hardware nat'. The problem with Xen, NAT, > and firewalling is that Xen makes the networking environment very > complicated. I really am a loooong way from understanding it, but > from comments made by people (liek Tom) who know more than I do it > could be that the way the traffic passes through the various bits of > networking system means that it does not pass though the right places > > in the right order to also support NAT in a meaningful way. > > -------------------------------------------------------------------------
So in short, there is no way for me to have several DomUs share a single public IP. So what are my options? - Having multiple public IPs on a single interface (eth0-WAN) and use Xen-Bridged. This way, Dom0 is "invisible" and the DomUs are directly connected to the WAN. I then install shorewall on each DomU. - Having multiple public IPs on a single interface (eth0-WAN) and use Xen-natted. Guess not, it would still be the same NAT problem right. Any other option I might have to protect my DomUs and still make them available to the WAN? Your help is much appreciated! There I was thinking that all I had to do was setup shorewall and be done with it. -- eco ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
