Hi,
I'm looking at re-building my home-LAN into a one Xen server
architecture. I plan to do something like "Option B" as described in
http://lists.xensource.com/archives/html/xen-users/2005-08/msg00315.html
My question is about securing the "public/Internet" interface.
My xen dom0 has ex0 and ex1 ; ex0 being configured as the "internal/LAN"
interface ; ex1 is not configured yet but is supposed to be plugged to
my ADSL router. Is it better to:
- hide ex1 to dom0 and export it do domU/FW
- bridge ex1 from dom0 (without an IP) to domU/FW (with an IP)
I suspect solution (2) makes dom0 being able to see traffic from/to
Internet so it has to protect him-self with pf/ipf. When choosing
solution (1), paquet filtering only has to be done into domU/FW (to
filter traffic from Internet to my LAN), right ?
I'm just not sure to understand how to achieve physical interface
seperation between domU/FW and (dom0 and the rest of domUs).
TIA,
Jo
--
NetBSD brought my daemons to the Sun (c)
Attachment:
pgphPti3N97BR.pgp
Description: PGP signature