Xen 		  
Home About Xen.org Xen Xen Summit Wiki Mailing List Bug Tracker Xen Downloads
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Ideal(istic) Xen firewall design

from [Dirk H. Schulz] [Permanent Link][Original]
To: Marcus Brown <marcusbrutus@xxxxxxxxxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Ideal(istic) Xen firewall design
From: "Dirk H. Schulz" <dirk.schulz@xxxxxxxxxxxxx>
Date: Sun, 14 Aug 2005 12:30:55 +0200
Delivery-date: Sun, 14 Aug 2005 10:29:15 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <42FF0CBD.1070507@xxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <42FAC8B2.8070601@xxxxxxxxxxxxxxxx> <42FB20AB.2000906@xxxxxxxxxxxxxxxxxxxxxxx> <42FC02B7.5010605@xxxxxxxxxxxxxxxx> <1123815231.4815.57.camel@xxxxxxxxxxxxxxxxxxxxxxx> <42FC1FBC.2070409@xxxxxxxxxxxxxxxx> <42FC529F.6090207@xxxxxxxxxxxxx> <42FEF120.3080509@xxxxxxxxxxxxxxxx> <42FEF923.1000802@xxxxxxxxxxxxx> <42FF0CBD.1070507@xxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.6 (Macintosh/20050716) 
Hi Markus,

Marcus Brown schrieb:


Hi Dirk,

Dirk H. Schulz wrote:

Hi Marcus,

thanks for so much info!

Just a short question before I start digging into your configs: What do
you gain by running the firewall inside a privileged guest system
instead of inside dom0?



It's modular, restartable, replaceable, ...
(ie. I can reboot the firewall without rebooting all the domUs)

That is a very good reason. I did not think of that, I have to admit.


errr
oh, and someone gaining root access to the firewall won't be able to
play with xend, or the filesystems of the domUs.
Oh, err, shouldn't it be more difficult to get root access to the firewall than to the other systems? That's one thing firewalls are for, aren't they? :-) 


I'm sure there are other good reasons :)
Yes, there are. This way one could have two firewalls to hide the domU network behind and a vpn server inbetween just for training (setting up vpn with dynamic routing, e.g.). Lots to play with on rainy weekends. :-) One could even setup complex OSPF scenarios just for testing. I start loving this concept ... 

Dirk

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] 'xm save' problem, Jean-Christophe Guillain
Next by Date:  [Xen-devel] VMX Hardware, Goetz Bock
Previous by Thread:  Re: [Xen-users] Ideal(istic) Xen firewall design, Marcus Brown
Next by Thread:  RE: [Xen-users] Ideal(istic) Xen firewall design, Mike Tierney
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , XenSource, Inc. All rights reserved. Note: the xen.org trademark policy
is changing. For information please email legalxen.org, Legal and Privacy