[email protected] wrote: > Roberto C. Sánchez wrote: >> Personally, I like the approach of running Shorewall inside of each >> domU. But then, I employ the "every node on the network is untrusted >> by >> default" approach. I have all the physical interfaces in the dom0 >> (with >> the dom0 only filtering traffic on its own virtual interface which is >> connected to the phsycal bridge interface. Each domU is then connected >> to the bridg by the dom0, but the domU is responsible for its own >> filtering.
+1 - that's how I run stuff as well. With a twist that I have (at home) a DomU just for the external gateway. > In your approach, which do you use as the connection to the 'net? In > other words, your 'edge'? The Dom0 or one of the DomUs? > > With no interfaces passed through, I'm guessing the Dom0? I have two different scenarios. At home, I run a gateway in a DomU - does PPPoE for the VDSL service, and IPv6 via a Hurricane Electric tunnel. For physical connectivity, I've done several different ways : At one point, I had a separate NIC with PCI passthrough to make it part of the DomU. The internet was handled by a modem which did the PPPoA stuff and presented raw IP over ethernet. I currently only have one NIC, and I run PPPoE over the same network as my internal network. It's not as secure as having a separate NIC, but I never got round to looking for a low profile PCIe NIC to fit my current server - and all the external traffic is encapsulated in PPPoE so other than eavesdropping (not an issue at home) it's secure enough. At work, my Xen and Linux stuff is all part of a much bigger network. I just have a few hand-crafted iptables rules in Dom0 to protect Dom0 only, then each DomU is treated exactly the same as I would a standalone bare-metal machine. This has the advantage that when a DomU is moved between hosts, there is no reconfiguring of the host needed as would be the case if I ran a firewall in Dom0. ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
