Hi all, I want to run XEN on a dedicated server with following structure: dom0 as hypervisor. domU1 as a gateway - firewall, DNS, openVPN and maybe DHCP server. Firewalling via Shorewall. domU2 as internal server with several services (Apache, MySQL available locally) domU3 as DMZ with external Apache server that can be queried from external. users from the outside should connect to OpenVPN at domU1 and have an access to the services on domU2. Apache on domU3 will connect to MySQL at domU2 and present the data to the client. That should ensure better security in case when domU3 is exposed. domU1 should ensure firewalling the system, port forwarding 80 to domU3 and creating a NAT. The physical machine will have one NIC with one public IP. My question, as a XEN beginner: is this config quite feasible ? What should be improved ? Should I use bridged or routed mode in XEN ? I know that I have to enable NIC at domU1 by adding pci and netif=1 parameters to the config. I also found this link:http://www.shorewall.net/3.0/XenMyWay.html In my case I have only one public IP and I don''t have wifi zone. I don''t want to assign public IP to the domU2, just forward the port. Will assigning the public IP in domU2 improve scalability if we want to add more public-available services ? Any recommended tutorials, howtos ? Thanks Slawek Kosowski
hi slawek, 1 comment only so far, until u begin u should know what u want. all wished features can be set up by xen, no prpos but dhcp firewall ... with 1 nic ... that sound really mess'y not xen is here the nut, the overal concept! u want all services and all security with minimal hardware (nic). in switzland we say: u can have the bread and the 5p at the same time :) thanks walter On 30.04.2012, at 11:00, Sławek Kosowski <slawek.k_xl@wp.pl> wrote:> Hi all, > > I want to run XEN on a dedicated server with following structure: > dom0 as hypervisor. > domU1 as a gateway - firewall, DNS, openVPN and maybe DHCP server. Firewalling via Shorewall. > domU2 as internal server with several services (Apache, MySQL available locally) > domU3 as DMZ with external Apache server that can be queried from external. > > users from the outside should connect to OpenVPN at domU1 and have an access to the services on domU2. > Apache on domU3 will connect to MySQL at domU2 and present the data to the client. That should ensure better security in case when domU3 is exposed. > domU1 should ensure firewalling the system, port forwarding 80 to domU3 and creating a NAT. > The physical machine will have one NIC with one public IP. > > My question, as a XEN beginner: is this config quite feasible ? > What should be improved ? > Should I use bridged or routed mode in XEN ? > I know that I have to enable NIC at domU1 by adding pci and netif=1 parameters to the config. > I also found this link:http://www.shorewall.net/3.0/XenMyWay.html > In my case I have only one public IP and I don't have wifi zone. > I don't want to assign public IP to the domU2, just forward the port. > Will assigning the public IP in domU2 improve scalability if we want to add more public-available services ? > Any recommended tutorials, howtos ? > > Thanks > Slawek Kosowski > > > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xen.org > http://lists.xen.org/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
=?ISO-8859-2?Q?S=B3awek_Kosowski?= wrote:>My question, as a XEN beginner: is this config quite feasible ?Yes, very easy.>What should be improved ?Nothing ?>Should I use bridged or routed mode in XEN ?Bridged. For the external interface you can do it two ways. 1) Use PCI passthrough to give the DomU firewall sole use of the NIC. 2) Create a bridge in Dom0 with the NIC attached - do not give Dom0 an address on this bridge. Create two bridges - one each for DMS and internal networks. When creating DomUs, give them VIFs on the bridges (ie networks) you want them to have access to. Give Dom0 IP address(es) on the bridge(s) you want it to be ''connected'' to. Don''t use Xen network-script, use the host OS network tools to create the bridges. Much easier and more reliable - also works the same whether booting Xen or the host OS natively (eg when debugging or for maintenance). BTW - you may also want a second NIC so that your internal network is available for other stuff (your own desktop/laptop, printers, etc) on the internal network. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books.
The concept is to buy one powerful dedicated machine and virtualize all the rest. @Walter can you clarify what''s messy about this design ? @Simon, thanks for advises The reason why I have only one physical NIC is that, the server will be a dedicated server collocated in the datacenter. Therefore, I don''t see any need to have additional NICs. Question regarding the LVM. I will dispose hardware RAID 1. I will create a volume group on the whole disk. Then I will make 2 logical volumes, one for dom0 root and one for dom0 swap. I don''t see any clear advantage of making more LVs with separate mounting points unless I have big and bulky files to archive by making snapshots. Simply by having only 2 LVs I decrease granularity, but facilitate management. At the limit I can add new LVs and mount them to specific locations (e.g. /usr or /var) copying the files from root LV. I plan to make new domU on additional LV in the same VG as dom0. Does it make sense ? Thanks ! Slawek Kosowski Dnia 30-04-2012 o godz. 11:28 Walter Robert Ditzler napisał(a):> hi slawek, > > 1 comment only so far, until u begin u should know what u want. all > wished features can be set up by xen, no prpos but dhcp firewall ... > with 1 nic ... > > that sound really mess''y > > not xen is here the nut, the overal concept! > > u want all services and all security with minimal hardware (nic). > > in switzland we say: u can have the bread and the 5p at the same time :) > > thanks walter >
S½awek Kosowski wrote:>The reason why I have only one physical NIC is >that, the server will be a dedicated server >collocated in the datacenter. Therefore, I don''t >see any need to have additional NICs.Correct>Question regarding the LVM. >I will dispose hardware RAID 1. I will create a >volume group on the whole disk. Then I will make >2 logical volumes, one for dom0 root and one for >dom0 swap. I don''t see any clear advantage of >making more LVs with separate mounting pointsI agree. BTW - for RAID1, install GRUB (or whatever bootloader you are using) to the boot sectors of both drives - that way the system can boot from either drive. If you only install the bootloader on one drive, if that fails then your system will keep running but won''t be able to boot.>I plan to make new domU on additional LV in the >same VG as dom0. Does it make sense ?Yes, that''s what I do. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books.
sorry here, my comment should not be taken wrong and the concept to have one powerfull server to handle most oft he services is absolutelly good too, we almost do that here too. first: the probem i have, for ex, ist he firewall stuff, i mean in our point of view, a firewall should be seperated by 2 nic''s and i assume briged nic on a xen will cause some difficulties with iptable! even i dont know how you would quaranty security when all ip packages traverse the same nic! second: on powerfull server == one single point of failure! what about lvm snapshots, where to put them, what to do if the server crashes, server down time? that what i wanted to say, for me the concept is missing. all your services can be made easely with xen, windws domU, linux domU. i would only suggest to consider of using at least 2 xen server, replicated with drbd, but not remus! and in the very best case a third lowcost server with disk space to copy lvm gziped snapshots over ssh daily or weekly. thats it. thanks walter -----Original Message----- From: xen-users-bounces@lists.xen.org [mailto:xen-users-bounces@lists.xen.org] On Behalf Of Slawek Kosowski Sent: Montag, 30. April 2012 12:58 To: xen-users@lists.xen.org Subject: Re: [Xen-users] Firewall in domU, networking in XEN The concept is to buy one powerful dedicated machine and virtualize all the rest. @Walter can you clarify what''s messy about this design ? @Simon, thanks for advises The reason why I have only one physical NIC is that, the server will be a dedicated server collocated in the datacenter. Therefore, I don''t see any need to have additional NICs. Question regarding the LVM. I will dispose hardware RAID 1. I will create a volume group on the whole disk. Then I will make 2 logical volumes, one for dom0 root and one for dom0 swap. I don''t see any clear advantage of making more LVs with separate mounting points unless I have big and bulky files to archive by making snapshots. Simply by having only 2 LVs I decrease granularity, but facilitate management. At the limit I can add new LVs and mount them to specific locations (e.g. /usr or /var) copying the files from root LV. I plan to make new domU on additional LV in the same VG as dom0. Does it make sense ? Thanks ! Slawek Kosowski Dnia 30-04-2012 o godz. 11:28 Walter Robert Ditzler napisał(a):> hi slawek, > > 1 comment only so far, until u begin u should know what u want. all > wished features can be set up by xen, no prpos but dhcp firewall ... > with 1 nic ... > > that sound really mess''y > > not xen is here the nut, the overal concept! > > u want all services and all security with minimal hardware (nic). > > in switzland we say: u can have the bread and the 5p at the same time > :) > > thanks walter >_______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Walter Robert Ditzler wrote:>first: >the probem i have, for ex, ist he firewall stuff, i mean in our point of >view, a firewall should be seperated by 2 nic''s and i assume briged nic on a >xen will cause some difficulties with iptable! even i dont know how you >would quaranty security when all ip packages traverse the same nic!In this case, the OP only has a NIC for outside (untrusted) traffic. It''s afor a hsoted server, so there is no physical network (ie other computers, printers etc) to need a NIC. Since external and internal traffic won''t be sharing a NIC, it''s not a problem. He''ll have two separate bridges (analogous to two separate physical switches) for ''internal'' and DMZ traffic, and either a third bridge or PCI passthrough for the outside traffic. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books.
Hello. The setup you just described looks good and it''s pretty usable, we use very similar ones here. Bridged network, OpenVPN, dnsmasq, nginx as inverse HTTP proxy or rinetd (instead of port forwarding). We even use set up approx for Debian repository caching and PXE to service the DomU''s. Simon Hobson just have made quite good suggestions, i don''t have much to add, except two details: Request at least 2 external IP''s from you provider, and give one of them to your Dom0. Firewall it hardly, set up port knocking, whatever, but leave yourself an emergency access via SSH directly to Dom0. One day your domU firewall will stop responding, even after hard reboot, and you will need a way to find out what''s up. Also, if you provider can give you access to his private network, it''s useful to have access to the IPMI interface (bad idea to expose it in Internet). Consider a second NIC, as a internal interface. Grab cheap one, label it with a big red warning "do not connect". It will be useful for setup tests, and the internal bridge for Xen network will be more "standard" from OS''s point of view than a "dry" one. $3-$5 worth it. -- Alexandre Kouznetsov
Thank you all for responses. The server will be a dedicated one. I''ll have an access via KVMoverIP. Snapshots will be rsynced to another VPN NAS or local NAS. br Slawomir
I need to clarify the ethernet interface setting. I found this link: http://old-list-archives.xen.org/archives/html/xen-users/2006-02/msg00602.html Since I will have only one NIC at dom0 that I will passthrough to domU1, which interface do I choose for dom0 to be bridged with domU1 ? I enclose the drawing in the attachment. If I make a PCI passthrough for eth device, is it assigned to vif1.0 in domU1 ? I understand that I make the bridges in domU0 ? Thank you Slawomir Kosowski _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
On Mon, May 7, 2012 at 3:09 PM, Sławek Kosowski <slawek.k_xl@wp.pl> wrote:> I need to clarify the ethernet interface setting. > I found this link: http://old-list-archives.xen.org/archives/html/xen-users/2006-02/msg00602.html > > Since I will have only one NIC at dom0 that I will passthrough to domU1, which interface do I choose for dom0 to be bridged with domU1 ? > > I enclose the drawing in the attachment. > If I make a PCI passthrough for eth device, is it assigned to vif1.0 in domU1 ? > I understand that I make the bridges in domU0 ?Don''t bother with PCI passthru. Seriously. Plus your comments indicate you have never tried it before. Think of dom0 like a L2 switch that supports vlan, and set it up as such: - If you have more than 1 NIC, it''s easier if you simply bond them together for increased availability and throughput. In your case it doesn''t matter since you only have 1 NIC. - create VLANs on the NIC, if possible. Of course your switch (or the providers switch) must support trunk + VLAN configuration as well. - create bridges on dom0 for each VLAN. If you don''t use VLAN, then you only need to have one bridge (for the physical NIC). Fori private (i.e. dom0 <-> domU or domU <-> domU) networks, create bridges using dummy interface. - assign IP addresses on dom0 bridges as needed. If a bridge is used only by a domU, then you don''t need to assign IP on dom0 side. -- Fajar
S½awek Kosowski wrote:>I need to clarify the ethernet interface setting. >I found this link: >http://old-list-archives.xen.org/archives/html/xen-users/2006-02/msg00602.html > >Since I will have only one NIC at dom0 that I >will passthrough to domU1, which interface do I >choose for dom0 to be bridged with domU1 ?None at all. You can have a bridge with no physical NICs assigned to it.>I enclose the drawing in the attachment. >If I make a PCI passthrough for eth device, is >it assigned to vif1.0 in domU1 ? >I understand that I make the bridges in domU0 ?That would be Dom0, not DomU0. If you passthrough the NIC to the firewall DomU then it will appear as ETH<n> in DomU - there will be no VIF associated with it. On your drawing, delete "peth0" in Dom0 (it''s in the wrong place anyway BTW*), so "net" connects directly to eth0 in Dom1. Dom0 will have an IP address on br0 - ie br0 will be it''s interface when you do "ifconfig". This is completely different to the technique in the post you link to. If you delete peth1 from the diagram in that post then you''ll have more or less what you want - br1 and br2 are the internal bridges, and you connect virtual machines (including Dom0) to whichever you want. Again, for Dom0 you just give it an IP address on br<n> and it will work. Both methods will work, which you use is largely a matter of preference. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books.
Hello Slawek, I recently setup a Xen machine with a PFSense Router. I tested two NIC''s with passthrough and saw no change in intranet file transfer speeds, so personally I wouldn''t recommend that. For the configuration you described in your first email, with a single NIC entering the machine, and two separated internal networks for Virtual Machine groups, you will need three if not four bridged connections in Dom0. I was using Debian and created my bridges in the /etc/networking/interfaces file. If you are working with the same, yours would look like this: auto lo xenbr0 xenbr1 xenbr2 iface lo inet loopback iface eth0 inet manual iface xenbr0 inet manual bridge_ports eth0 iface xenbr1 inet manual iface xenbr2 inet manual Your chain of connections would be similar to: ISP Modem to eth0 eth0 Bridged to xenbr0 xenbr0 bridged to WAN on DomU1 xenbr1 bridged to LAN1 on DomU1 xenbr2 bridged to LAN2 on DomU1 xenbr1 bridged to DomU2 xenbr2 bridged to DomU3 If you want to add more services to either bridge, you just add "bridge=xenbr#" in your network configuration files for any new HVM''s. In the configuration I provided, Dom0 does not have a connection, if you want to give it an address on either network, change "manual" to "static" or "dhcp" (static is controlled but requires additional lines). My setup has Two NIC''s with a switch, but only one internal network. My interfaces is as follows: auto lo xenbr0 xenbr1 iface lo inet loopback iface eth0 inet manual iface eth1 inet manual iface xenbr0 inet manual bridge_ports eth0 iface xenbr1 inet static bridge_ports eth1 address 10.0.0.2 netmask 255.255.255.224 gateway 10.0.0.1 Note that I ran into a problem on Debian where the DNS file on the machine (not interfaces, but I can''t remember it off hand and am at work) did not update the gateway, so I had to manually update it, or add more lines to interfaces. There may be more you will want to do on the eth0 bridge to secure it, but I am not a security specialist just a tech enthusiast. Hope that helps, ~Casey On Mon, May 7, 2012 at 10:58 AM, Simon Hobson <linux@thehobsons.co.uk>wrote:> S½awek Kosowski wrote: > >> I need to clarify the ethernet interface setting. >> I found this link: http://old-list-archives.xen.** >> org/archives/html/xen-users/**2006-02/msg00602.html<http://old-list-archives.xen.org/archives/html/xen-users/2006-02/msg00602.html> >> >> Since I will have only one NIC at dom0 that I will passthrough to domU1, >> which interface do I choose for dom0 to be bridged with domU1 ? >> > > None at all. You can have a bridge with no physical NICs assigned to it. > > > I enclose the drawing in the attachment. >> If I make a PCI passthrough for eth device, is it assigned to vif1.0 in >> domU1 ? >> I understand that I make the bridges in domU0 ? >> > > That would be Dom0, not DomU0. > If you passthrough the NIC to the firewall DomU then it will appear as > ETH<n> in DomU - there will be no VIF associated with it. > > On your drawing, delete "peth0" in Dom0 (it''s in the wrong place anyway > BTW*), so "net" connects directly to eth0 in Dom1. Dom0 will have an IP > address on br0 - ie br0 will be it''s interface when you do "ifconfig". > > > This is completely different to the technique in the post you link to. > If you delete peth1 from the diagram in that post then you''ll have more or > less what you want - br1 and br2 are the internal bridges, and you connect > virtual machines (including Dom0) to whichever you want. Again, for Dom0 > you just give it an IP address on br<n> and it will work. > > Both methods will work, which you use is largely a matter of preference. > > > -- > Simon Hobson > > Visit http://www.**magpiesnestpublishing.co.uk/<http://www.magpiesnestpublishing.co.uk/>for books by acclaimed > author Gladys Hobson. Novels - poetry - short stories - ideal as > Christmas stocking fillers. Some available as e-books. > > ______________________________**_________________ > Xen-users mailing list > Xen-users@lists.xen.org > http://lists.xen.org/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Thank you guys for help. I like the idea of bridging eth0 with vif1.0 and then just bridging vif0.0 with vif1.1 The idea for custom network script for dom0 that will be referenced in /etc/xen/xend-config.sxp (probably incomplete and completely untested): ip link set eth0 down ip link set eth0 mac fe:ff:ff:ff:ff:ff arp off # just bridge for domU1 brctl addbr xenbr0 brctl setfd xenbr0 0 brctl addif xenbr0 eth0 ip link set xenbr0 up ip link set eth0 up # bridge for loc brctl addbr xenbr1 brctl setfd xenbr1 0 brctl addif xenbr1 vif0.0 ip link set xenbr1 up ip link set vif0.0 up ifconfig vif0.0 192.168.2.2 #bridge for dmz brctl addbr xenbr2 brctl stp xenbr1 off brctl setfd xenbr1 0 ip link set xenbr2 up Then in domU1 config file I''ll instantiate: vif=[ ''bridge=xenbr0'', ''mac=00:16:3e:07:d2:0e'', ''bridge=xenbr1'', ''mac=00:16:3e:07:d2:0f'', ''bridge=xenbr2'', ''mac=00:16:3e:07:d2:10'' ] What should be changed and how ? Slawomir Kosowski
At 10:44 +0200 10/5/12, =?ISO-8859-2?Q?S=B3awek_Kosowski?= wrote:>The idea for custom network script for dom0Really, DON''T use network script - comment it out (ie don''t use it at all) and use the host OS tools. network script is deprecated and is a hangover from the days when most distros didn''t provide easy/convenient tools for managing bridges. Now that most distros have good tools for this, there isn''t really any need for Xen''s network script - and using the OS tools means you''ll have a config that works even when booting the host OS without Xen (eg for troubleshooting). For example, in Debian you can (I think) do this in /etc/network/interfaces : auto ethext iface ethext inet static bridge_ports eth0 auto ethint iface ethint inet static bridge_ports none address 192.168.1.x netmask 255.255.255.0 gateway 192.168.1.1 auto ethdmz iface ethdmz inet static bridge_ports none If I''ve got it right, this will leave you with three bidges : ethext has one member, the real NIC eth0. Dom0 has no access to it (no IP address configured). ethint has no physical NICs. Dom0 has an IP in this network. ethdmz also has no physical NIC, and also no access to Dom0. You''d start up your first DomU for the firewall with VIFs connected to all three bridges. For all other DomUs you''d connect them to one or both of ethint and ethdmz according to their requirements. You can use whatever names you like instead of ethext, ethint, and ethdmz. Personally I don''t like using things like br0, br1, etc as it''s harder to keep track of what''s what. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books.
On Thu, 2012-05-10 at 09:44 +0100, Sławek Kosowski wrote:> > vif=[ 'bridge=xenbr0', 'mac=00:16:3e:07:d2:0e', 'bridge=xenbr1', > 'mac=00:16:3e:07:d2:0f', 'bridge=xenbr2', 'mac=00:16:3e:07:d2:10' ]I haven't been following this thread so I don't have any comments on the specifics of your proposal but just wanted to note that the syntax here would actually be: vif=[ 'bridge=xenbr0,mac=00:16:3e:07:d2:0e', 'bridge=xenbr1,mac=00:16:3e:07:d2:0f', 'bridge=xenbr2,mac=00:16:3e:07:d2:10' ] BTW, you could actually name your bridges "dmz", "loc", etc. Ian. _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Thank you guys for helpful piece of advice :) Best regards SK
For example, in Debian you can (I think) do this in /etc/network/interfaces : auto ethext iface ethext inet static bridge_ports eth0 auto ethint iface ethint inet static bridge_ports none address 192.168.1.x netmask 255.255.255.0 gateway 192.168.1.1 auto ethdmz iface ethdmz inet static bridge_ports none If I''ve got it right, this will leave you with three bidges : ethext has one member, the real NIC eth0. Dom0 has no access to it (no IP address configured). ethint has no physical NICs. Dom0 has an IP in this network. ethdmz also has no physical NIC, and also no access to Dom0. Simon, I''m running again through what you''ve written, and I''m still missing several points: 1. I need to create a virtual interface in dom0 that will connect to ethint (giving an access to LOC). Should I create an alias to eth0 (eth0:1) ? 2. I cannot configure ethdmz in the way that you''ve shown. It works fine if I assign IP as in case ethint 3. How should I keep the configuration of eth0 if it won''t have any IP (in dom0) - it will be bridged to domU1 ? Should it be something like this: auto eth0:0 iface eth0:0 inet manual and then configure it normally (i.e. DHCP or static) in domU1 ? Thanks for help Slawomir _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
S½awek Kosowski wrote:>1. I need to create a virtual interface in dom0 >that will connect to ethint (giving an access to >LOC). Should I create an alias to eth0 (eth0:1) ?No. You already have access to int from Dom0 - that''s what the address 192.168.1.x netmask 255.255.255.0 gateway 192.168.1.1 bit of the config does for you. The bridge itself becomes the interface in Dom0 - it should show as ethint in the output from ifconfig.>2. I cannot configure ethdmz in the way that >you''ve shown. It works fine if I assign IP as in >case ethintThe docs I found says it should work - not a setup I''ve used personally. Perhaps someone else can confirm if I''ve got the syntax correct. Do you get an error message ? Just "nothing" ? Does the bridge appear (brctl show) ?>3. How should I keep the configuration of eth0 >if it won''t have any IP (in dom0) - it will be >bridged to domU1 ? > >Should it be something like this: > >auto eth0:0 > > iface eth0:0 inet manualNo, you just don''t configure it at all. It will be bridged to a DomU and Dom0 will not have any access. Before starting any DomUs, brctl show should give something like : bridge name bridge id STP enabled interfaces ethext 8000.xxxxxxxxxxxx no eth0 ethint 8000.xxxxxxxxxxxx no ethdmz 8000.xxxxxxxxxxxx no After starting the first DomU as your firewall device, you should see it change to something like : ethext 8000.xxxxxxxxxxxx no vifa.b eth0 ethint 8000.xxxxxxxxxxxx no vifa.c ethdmz 8000.xxxxxxxxxxxx no vifa.d Not too sure about the "vifa.b" stuff, I give my DomUs explicit interface names, so I might see : ethext 8000.xxxxxxxxxxxx no fwext eth0 ethint 8000.xxxxxxxxxxxx no fwint ethdmz 8000.xxxxxxxxxxxx no fwdmz Eg, in the config for my firewall DomU, I might have something like : vif = [ ''bridge=ethext,vifname=fwext'', ''bridge=ethint,vifname=fwint'', ''bridge=ethdmz,vifname=fwdmz'' ] I just like having meaningful names - makes things easier when you have a few VMs running. On the other hand, it causes some confusion when cloning a VM and I forget to change the names ! -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books.