Hi Simon
On 2015-04-22 07:02, Simon Hobson wrote:
> With a twist that I have (at home) a DomU just for the external
> gateway.
Separate from the fw DomU? I've been wondering what makes most sense --
gateway + fw + openvpn all on one DomU, or split them up.
> For physical connectivity, I've done several different ways :
> At one point, I had a separate NIC with PCI passthrough to make it
> part of the DomU. The internet was handled by a modem which did the
...
> At work, my Xen and Linux stuff is all part of a much bigger network.
> I just have a few hand-crafted iptables rules in Dom0 to protect Dom0
> only, then each DomU is treated exactly the same as I would a
> standalone bare-metal machine. This has the advantage that when a DomU
> is moved between hosts, there is no reconfiguring of the host needed
> as would be the case if I ran a firewall in Dom0.
After a lot of reading, I've decided to leave the Dom0 alone to the
greatest degree possible.
With apologies for the 'ascii art' ...
So leaning in that direction, that's FW in the DomU. At the moment I
have a fw DomU up with 1 intfc (br0, from Dom0) passed in as local
intfc, and another pci-passthrough'd NIC for the DomU's ext interface,
case (1) here
(1)
'net
|
(modem)
|
'real' eth1 ( pci-passthru from eth1 @ Dom0 )
DomU --|
'virtual' eth0 ( from br0 @ Dom0 )
Dom0 --|- eth0 -> br0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (Ethernet switch)
-> LAN
|- eth1 -> hidden+pci-passthru
But IIUC I can also do,
(2)
'net
|
(modem)
|
'real' eth1 (pci-passthru from Dom0)
DomU --|
'real' eth0 (pci-passthru from Dom0)~~~~~~~~~~~ (Ethernet switch)
-> LAN
|
|
Dom0 --|- eth0 -> hidden+pci-passthru |
|- eth1 -> hidden+pci-passthru |
|- eth2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Iiuc, in (2) I avoid pushing 'other' LAN traffic through the Dom0.
I think that's a good thing? Are there any good reasons NOT to do this?
Seems like it would be treating DomU "exactly the same as ... a
standalone bare-metal machine"", and also be most portable.
I'm guessing shorewall rules would need to be different for the two
cases to protect the DomUs, Dom0 and lan machines.
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
