On Tue, Apr 21, 2015 at 07:39:37PM +0000, [email protected] wrote: > > IIUC that's one of three ways I can think of to handle the firewall, > > (1) 2 ethernet interfaces in the Dom0 host, shorewall on the Dom0 > (2) 1 ethernet interfacs in the Dom0 host, 1 eth intfc in a DomU guest, > shorewall in the Guest, > (3) 2 ethernet interfaces in the DomU guest, shorewall in the DomU > guest, guest internal intfc connected to an Ethernet switch. > > I'm looking for any comments or advice for which way is the 'sanest' > approach, and to understand why. > > I'd appreciate any ideas! > Personally, I like the approach of running Shorewall inside of each domU. But then, I employ the "every node on the network is untrusted by default" approach. I have all the physical interfaces in the dom0 (with the dom0 only filtering traffic on its own virtual interface which is connected to the phsycal bridge interface. Each domU is then connected to the bridg by the dom0, but the domU is responsible for its own filtering.
Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
