[email protected] wrote: >> With a twist that I have (at home) a DomU just for the external gateway. > > Separate from the fw DomU? I've been wondering what makes most sense -- > gateway + fw + openvpn all on one DomU, or split them up.
One device = FW + router + NAT etc > So leaning in that direction, that's FW in the DomU. At the moment I have a > fw DomU up with 1 intfc (br0, from Dom0) passed in as local intfc, and > another pci-passthrough'd NIC for the DomU's ext interface, case (1) here > > (1) > 'net > | > (modem) > | > 'real' eth1 ( pci-passthru from eth1 @ Dom0 ) > DomU --| > 'virtual' eth0 ( from br0 @ Dom0 ) > > > Dom0 --|- eth0 -> br0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (Ethernet switch) -> LAN > |- eth1 -> hidden+pci-passthru Yep, that's one arrangement I've had in the past. > But IIUC I can also do, > > (2) > 'net > | > (modem) > | > 'real' eth1 (pci-passthru from Dom0) > DomU --| > 'real' eth0 (pci-passthru from Dom0)~~~~~~~~~~~ (Ethernet switch) -> LAN > | > | > Dom0 --|- eth0 -> hidden+pci-passthru | > |- eth1 -> hidden+pci-passthru | > |- eth2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| > > > Iiuc, in (2) I avoid pushing 'other' LAN traffic through the Dom0. Yes, that'll work too. > I think that's a good thing? Are there any good reasons NOT to do this? > Seems like it would be treating DomU "exactly the same as ... a standalone > bare-metal machine"", and also be most portable. There's only one reason I can think of that would make the 2nd option better than the first. AIUI, the network handler in Dom0 is single threaded - and I gather that can introduce latency and/or throughput limitations for network traffic as a whole. Dunno if the same applies to the PCI passthrough virtualisation layer. In any case, that largely depends on whether you have a lot of LAN traffic. For my home network, there's probably a lot more that goes through Dom0 (to/from DomUs) and the difference between the firewall/gateway having a virtual NIC vs passthrough NIC is "not important to me". There's theoretically a very small security consideration in that with Option1 the other DomUs can sniff traffic on the bridge - but they'll only see broadcast traffic which is generally not all that useful (and they'd see that in option2 as well). Anyone with access to Dom0 could still sniff traffic (I assume) with Option2 as it still goes through a virtualisation layer and could be sniffed by someone with the right tools. I don't see any difference in portability - in both cases DomU has 2 virtual NICs which need to be mapped by Dom0. > I'm guessing shorewall rules would need to be different for the two cases to > protect the DomUs, Dom0 and lan machines. In terms of what's on that DomU FW "appliance" there'll be very little difference - and in practice I'm not sure you'd need to make any changes to Shorewall on it ! ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
