On Sat, 2005-08-13 at 09:37 +0200, Dirk Ruediger wrote: > I wanted to have a DMZ and installed an additional network card to bind > all these vservers to. But then I discovered the dummy device and want > to change eth1 against dummy0 (after installing the dummy module ;-) > and remove the additional network card from the server if it can be done. > But first I want to know, if this is common =good) practice. Or should I > rather tinker with bridge and tun devices? The mailing list shows many > things possible (vlan, bridge, dummy), but I can't see, what the best > practices are.
Dirk, I think that setting up "machine internal" networks on dummy interfaces is a good practise. I have been using such a configuration for a while myself. Setting them up on a real physical interface also addresses the root problem that is the motivation to do this, which is to keep their traffic off the wire even if your firewalling is turned off momentarily. Using a dummy interface, you save yourself one network card to achieve this separation. One peculiarity is that despite all vservers being defined on the dummy0 network, packets between vservers do not cross the host boundary. Instead, they are considered to pass through the loopback interface when talking between vservers, or from the host to and from any of the vservers. However, this is no problem as you simply set up your iptables rules to limit which vservers can talk to which other vservers on the loopback interface. Sam. _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
