Hi I have a bit of a problem that I have to overcome. I have 2 networks that I need to run different system on (DMZ and internal). I have one computer that has two NICs and I thought of doing the following: Setup Xen and run dom0 without giving it an IP address. Setup one domU that is bridged through the first NIC and a second domU that is bridge through a second bridge on the second interface. The result of this setup is that I have 2 domUs that are totally separated even on the network level and dom0 that is unreachable because it doesn''t exist in layer 3 and above. The questions I have: 1. Is it possible not to give dom0 an IP address at all and still have the domU be able to network? 2. Is such a setup has a security weakness that I''m not seeing? TIA Paolo _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Paolo Am Freitag 07 Juli 2006 06:02 schrieb Paolo Supino:> Hi > > I have a bit of a problem that I have to overcome. I have 2 networks > that I need to run different system on (DMZ and internal). I have one > computer that has two NICs and I thought of doing the following: Setup > Xen and run dom0 without giving it an IP address. Setup one domU that is > bridged through the first NIC and a second domU that is bridge through a > second bridge on the second interface.Should be possible. You could even hide the nics from dom0 and hand them over to the domU. Thats my current setup.> The result of this setup is that > I have 2 domUs that are totally separated even on the network level and > dom0 that is unreachable because it doesn''t exist in layer 3 and above. > The questions I have: > 1. Is it possible not to give dom0 an IP address at all and still have > the domU be able to network?Yup. Since in standard setup the physical device and the device dom0 sees as eth0 are different. The physical device becomes peth0 and is attached to a bridge and veth0 is renamed to eth0 and then gets the ip and mac of the old eth0. you just might want to modify /etc/xen/scripts/network-bridge. There might be an easier way which I''m missing right now, since I myself just started> 2. Is such a setup has a security weakness that I''m not seeing?Don''t know about that one... Jonathan _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > 2. Is such a setup has a security weakness that I''m not seeing? > Don''t know about that oneAny dom-u that broadcasts an IP with that configuration "owns" it. As long as you specify a mac / ip in your config per dom-u that shouldn''t be an issue. If not, its possible for one dom-u to ''hijack'' an IP owned by another. Really only an issue if untrusted people have root access to the dom-u''s. Its more likely to happen by accident than as some sort of attack, especially if you''re using dhcp. We do something similar with dom-u''s we use for redundant in-line firewalls and snort appliances, works very well :) HTH Tim _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users