Jean Baptiste FAVRE
2010-Dec-20 14:08 UTC
[Xen-users] Network isolation - PCI passthrough question
Hello, I thinking about using PCI passthrough to dedicated a domU as firewall. I understand PCI passthrough concept. When done, my domU will see network card and the dom0 won''t any more. So I''ll be able to filter all trafic from outside, since it will go through network domU. Then, how will I be able to connect other domU (and maybe dom0) to the network domU ? In a normal way, creating domU makes dom0 creating vif interfaces and bridge (in my configuration) it. But once netowkr will be isolated in a specific domU, dom0 won''t be able to interact with it, will it ? Any link/help/explanation appreciated. Regards, JB _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Mike Fröhner
2010-Dec-20 14:47 UTC
[Xen-users] Re: Network isolation - PCI passthrough question
Am 20.12.2010 15:08, schrieb Jean Baptiste FAVRE:> Hello, > I thinking about using PCI passthrough to dedicated a domU as firewall. > > I understand PCI passthrough concept. When done, my domU will see > network card and the dom0 won''t any more. So I''ll be able to filter all > trafic from outside, since it will go through network domU. > > Then, how will I be able to connect other domU (and maybe dom0) to the > network domU ? > > In a normal way, creating domU makes dom0 creating vif interfaces and > bridge (in my configuration) it. But once netowkr will be isolated in a > specific domU, dom0 won''t be able to interact with it, will it ?How many network cards do you have in this computer? I think you''ll need minimal 2 nics. One for dom0 and domU (vif) to communicate and one for PCI passthrough. As you understood right, dom0 won''t see the PCI passthrought nic.> > Any link/help/explanation appreciated. > > Regards, > JB_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jean Baptiste FAVRE
2010-Dec-20 14:55 UTC
Re: [Xen-users] Re: Network isolation - PCI passthrough question
Le 20/12/2010 15:47, Mike Fröhner a écrit :> Am 20.12.2010 15:08, schrieb Jean Baptiste FAVRE: >> Hello, >> I thinking about using PCI passthrough to dedicated a domU as firewall. >> >> I understand PCI passthrough concept. When done, my domU will see >> network card and the dom0 won''t any more. So I''ll be able to filter all >> trafic from outside, since it will go through network domU. >> >> Then, how will I be able to connect other domU (and maybe dom0) to the >> network domU ? >> >> In a normal way, creating domU makes dom0 creating vif interfaces and >> bridge (in my configuration) it. But once netowkr will be isolated in a >> specific domU, dom0 won''t be able to interact with it, will it ? > > How many network cards do you have in this computer? I think you''ll need > minimal 2 nics. One for dom0 and domU (vif) to communicate and one for > PCI passthrough. As you understood right, dom0 won''t see the PCI > passthrought nic. >> >> Any link/help/explanation appreciated. >> >> Regards, >> JBHello, For now, I have 2 nics within a bond interface. What I would like to achieve is to have a dedicated domU acting as firewall for all other domU like in Qubes-os project (http://qubes-os.org/Home.html). That means, I want to passthrough both nics to one domU called "netDomU" and connect all "regular" domU networks to "netDomU". But since dom0 won''t see any network card, how can I create vif interfaces ? But maybe PCI passthrough won''t be the solution for that purpose ? Regards, JB _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Mike Fröhner
2010-Dec-20 16:10 UTC
[Xen-users] Re: Network isolation - PCI passthrough question
Am 20.12.2010 15:55, schrieb Jean Baptiste FAVRE:> Le 20/12/2010 15:47, Mike Fröhner a écrit : >> Am 20.12.2010 15:08, schrieb Jean Baptiste FAVRE: >>> Hello, >>> I thinking about using PCI passthrough to dedicated a domU as firewall. >>> >>> I understand PCI passthrough concept. When done, my domU will see >>> network card and the dom0 won''t any more. So I''ll be able to filter all >>> trafic from outside, since it will go through network domU. >>> >>> Then, how will I be able to connect other domU (and maybe dom0) to the >>> network domU ? >>> >>> In a normal way, creating domU makes dom0 creating vif interfaces and >>> bridge (in my configuration) it. But once netowkr will be isolated in a >>> specific domU, dom0 won''t be able to interact with it, will it ? >> >> How many network cards do you have in this computer? I think you''ll need >> minimal 2 nics. One for dom0 and domU (vif) to communicate and one for >> PCI passthrough. As you understood right, dom0 won''t see the PCI >> passthrought nic. >>> >>> Any link/help/explanation appreciated. >>> >>> Regards, >>> JB > > Hello, > > For now, I have 2 nics within a bond interface. > What I would like to achieve is to have a dedicated domU acting as > firewall for all other domU like in Qubes-os project > (http://qubes-os.org/Home.html). > That means, I want to passthrough both nics to one domU called "netDomU" > and connect all "regular" domU networks to "netDomU". > > But since dom0 won''t see any network card, how can I create vif interfaces ?If I understood right u want to simulate an office with different appVMs? I think I got a solution for you: The vif doesn''t need a bridge from a real nic. You could also use a bridge on the lo-device for domU vifs. There would be just one Problem. The dom0 wont be directly accessible because it does not have an ip address. Perhaps it is possible to create another bridge for communication to the firewall (if it is a router). This is really crazy stuff :) Regards, Mike> > Regards, > JB_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jean Baptiste FAVRE
2010-Dec-20 16:23 UTC
Re: [Xen-users] Re: Network isolation - PCI passthrough question
Le 20/12/2010 17:10, Mike Fröhner a écrit :> Am 20.12.2010 15:55, schrieb Jean Baptiste FAVRE: >> Le 20/12/2010 15:47, Mike Fröhner a écrit : >>> Am 20.12.2010 15:08, schrieb Jean Baptiste FAVRE: >>>> Hello, >>>> I thinking about using PCI passthrough to dedicated a domU as firewall. >>>> >>>> I understand PCI passthrough concept. When done, my domU will see >>>> network card and the dom0 won''t any more. So I''ll be able to filter all >>>> trafic from outside, since it will go through network domU. >>>> >>>> Then, how will I be able to connect other domU (and maybe dom0) to the >>>> network domU ? >>>> >>>> In a normal way, creating domU makes dom0 creating vif interfaces and >>>> bridge (in my configuration) it. But once netowkr will be isolated in a >>>> specific domU, dom0 won''t be able to interact with it, will it ? >>> >>> How many network cards do you have in this computer? I think you''ll need >>> minimal 2 nics. One for dom0 and domU (vif) to communicate and one for >>> PCI passthrough. As you understood right, dom0 won''t see the PCI >>> passthrought nic. >>>> >>>> Any link/help/explanation appreciated. >>>> >>>> Regards, >>>> JB >> >> Hello, >> >> For now, I have 2 nics within a bond interface. >> What I would like to achieve is to have a dedicated domU acting as >> firewall for all other domU like in Qubes-os project >> (http://qubes-os.org/Home.html). >> That means, I want to passthrough both nics to one domU called "netDomU" >> and connect all "regular" domU networks to "netDomU". >> >> But since dom0 won''t see any network card, how can I create vif >> interfaces ? > > If I understood right u want to simulate an office with different appVMs? > > I think I got a solution for you: > > The vif doesn''t need a bridge from a real nic. You could also use a > bridge on the lo-device for domU vifs. > > There would be just one Problem. The dom0 wont be directly accessible > because it does not have an ip address. Perhaps it is possible to create > another bridge for communication to the firewall (if it is a router). > > This is really crazy stuff :)Hello, I like crazy stuff :) But still don''t see how to achieve it. I don''t care about dom0 network as it''s just near me (test machine) :) But I do care about domU network and I''m not sure I understand your "vif bridged on lo-device". Could you give more details ? Regards, JB _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Mike Fröhner
2010-Dec-20 16:49 UTC
[Xen-users] Re: Network isolation - PCI passthrough question
Am 20.12.2010 17:23, schrieb Jean Baptiste FAVRE:> Le 20/12/2010 17:10, Mike Fröhner a écrit : >> Am 20.12.2010 15:55, schrieb Jean Baptiste FAVRE: >>> Le 20/12/2010 15:47, Mike Fröhner a écrit : >>>> Am 20.12.2010 15:08, schrieb Jean Baptiste FAVRE: >>>>> Hello, >>>>> I thinking about using PCI passthrough to dedicated a domU as firewall. >>>>> >>>>> I understand PCI passthrough concept. When done, my domU will see >>>>> network card and the dom0 won''t any more. So I''ll be able to filter all >>>>> trafic from outside, since it will go through network domU. >>>>> >>>>> Then, how will I be able to connect other domU (and maybe dom0) to the >>>>> network domU ? >>>>> >>>>> In a normal way, creating domU makes dom0 creating vif interfaces and >>>>> bridge (in my configuration) it. But once netowkr will be isolated in a >>>>> specific domU, dom0 won''t be able to interact with it, will it ? >>>> >>>> How many network cards do you have in this computer? I think you''ll need >>>> minimal 2 nics. One for dom0 and domU (vif) to communicate and one for >>>> PCI passthrough. As you understood right, dom0 won''t see the PCI >>>> passthrought nic. >>>>> >>>>> Any link/help/explanation appreciated. >>>>> >>>>> Regards, >>>>> JB >>> >>> Hello, >>> >>> For now, I have 2 nics within a bond interface. >>> What I would like to achieve is to have a dedicated domU acting as >>> firewall for all other domU like in Qubes-os project >>> (http://qubes-os.org/Home.html). >>> That means, I want to passthrough both nics to one domU called "netDomU" >>> and connect all "regular" domU networks to "netDomU". >>> >>> But since dom0 won''t see any network card, how can I create vif >>> interfaces ? >> >> If I understood right u want to simulate an office with different appVMs? >> >> I think I got a solution for you: >> >> The vif doesn''t need a bridge from a real nic. You could also use a >> bridge on the lo-device for domU vifs. >> >> There would be just one Problem. The dom0 wont be directly accessible >> because it does not have an ip address. Perhaps it is possible to create >> another bridge for communication to the firewall (if it is a router). >> >> This is really crazy stuff :) > > Hello, > I like crazy stuff :) > But still don''t see how to achieve it. > > I don''t care about dom0 network as it''s just near me (test machine) :) > But I do care about domU network and I''m not sure I understand your "vif > bridged on lo-device". > Could you give more details ?Yes this crazy stuff sounds good :) Normally I put the bridge for xen''s vif (for domUs) on a real network interface because they need community with the dom0. But u dont need that ip communication between domU and dom0. I am not sure (because I never did) if it is possible to put a bridge on the loopback device (aka "lo"). That bridge on lo would be the bridge for domU vif''s. For example: vif = [ ''bridge=lobr'' ]. If I am right this bridge would work like a simple switch and xen would create the vif ("put the cable into switch") if you start an appVM. The networkVM would work like a router with firewall.> > Regards, > JB_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
let''s see if I understand, something like: domU (eth0) -> (PCI passthru) -> nic0 this domU will be like an appliance firewall, eth0 which is directly configured to pci-dev nic0 is effectively the WAN interface of the domU firewall. other domU vms are on the LAN side of firewall, so you need a "virtual LAN" bridging to lo interface can be problematic. instead, from dom0, configure several ''tap'' interfaces (see tunctl), and those can act as LAN interface of the firewall domU and the interfaces of all other domU vms. They can all be bridged together tunctl -t tap0 tunctl -t tap1 ... # then brctl addbr tap-br0 brctl addif tap-br0 tap0 brctl addif tap-br0 tap1 ... then assign tap0 to firewall domU, tap1 to first domU vm ... is this what you''re trying to accomplish? -- View this message in context: http://xen.1045712.n5.nabble.com/Network-isolation-PCI-passthrough-question-tp3312014p3312437.html Sent from the Xen - User mailing list archive at Nabble.com. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
dave
2010-Dec-20 19:57 UTC
Re: [Xen-users] Re: Network isolation - PCI passthrough question
let''s see if I understand, something like: domU (eth0) -> (PCI passthru) -> nic0 this domU will be like an appliance firewall, eth0 which is directly configured to pci-dev nic0 is effectively the WAN interface of the domU firewall. other domU vms are on the LAN side of firewall, so you need a "virtual LAN" bridging to lo interface can be problematic. instead, from dom0, configure several ''tap'' interfaces (see tunctl), and those can act as LAN interface of the firewall domU and the interfaces of all other domU vms. They can all be bridged together tunctl -t tap0 tunctl -t tap1 ... # then brctl addbr tap-br0 brctl addif tap-br0 tap0 brctl addif tap-br0 tap1 ... then assign tap0 to firewall domU, tap1 to first domU vm ... is this what you''re trying to accomplish? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Simon Hobson
2010-Dec-20 20:02 UTC
Re: [Xen-users] Re: Network isolation - PCI passthrough question
Jean Baptiste FAVRE wrote:>I don''t care about dom0 network as it''s just near me (test machine) :) >But I do care about domU network and I''m not sure I understand your "vif >bridged on lo-device".I''d suggest you try manually creating a bridge with no network interfaces attached to it*. You can add an IP address directly to the bridge interface, and then the Dom0 and any DomUs you attach to it can communicate between themselves. But with no external interface attached to the bridge, nothing will have access to an outside network other than through the firewall DomU. Apart from the lack of external NIC, this is how I run my home network. I do PCI passthrough to hide a NIC (connected to an ADSL modem) from Dom0, and all outside traffic passes though the virtual firewall in order to reach the outside world. * IRC something like this ought to do it : brctl addbr br0 ip addr add w.x.y.z/n dev br0 and then specify br0 when configuring VIFs in your guests. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jean Baptiste FAVRE
2010-Dec-20 21:45 UTC
Re: [Xen-users] Re: Network isolation - PCI passthrough question
Le 20/12/2010 20:57, dave a écrit :> let''s see if I understand, something like: > > domU (eth0) -> (PCI passthru) -> nic0 > > this domU will be like an appliance firewall, eth0 which is directly > configured to pci-dev nic0 is effectively the WAN interface of the domU > firewall. > > other domU vms are on the LAN side of firewall, so you need a "virtual LAN" > > bridging to lo interface can be problematic. instead, from dom0, > configure several ''tap'' interfaces (see tunctl), and those can act as > LAN interface of the firewall domU and the interfaces of all other domU > vms. They can all be bridged together > > tunctl -t tap0 > tunctl -t tap1 > ... > # then > brctl addbr tap-br0 > brctl addif tap-br0 tap0 > brctl addif tap-br0 tap1 > ... > then assign tap0 to firewall domU, tap1 to first domU vm ... > > is this what you''re trying to accomplish?Yes, it''s more or less what I''m trying to do. In an ideal world, I would dom0 to be completly unaware of domU network. But I realize I need it to be able to attach domU''s nics to bridge. As far as I have seen, there are no way to attach domU nic directly to my firewall domU. So, dom0 will always have access to network traffic from domU, right ? Regards, JB _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jean Baptiste FAVRE
2010-Dec-20 21:46 UTC
Re: [Xen-users] Re: Network isolation - PCI passthrough question
Le 20/12/2010 21:02, Simon Hobson a écrit :> Jean Baptiste FAVRE wrote: > >> I don''t care about dom0 network as it''s just near me (test machine) :) >> But I do care about domU network and I''m not sure I understand your "vif >> bridged on lo-device". > > I''d suggest you try manually creating a bridge with no network > interfaces attached to it*. You can add an IP address directly to the > bridge interface, and then the Dom0 and any DomUs you attach to it can > communicate between themselves. But with no external interface attached > to the bridge, nothing will have access to an outside network other than > through the firewall DomU. > > Apart from the lack of external NIC, this is how I run my home network. > I do PCI passthrough to hide a NIC (connected to an ADSL modem) from > Dom0, and all outside traffic passes though the virtual firewall in > order to reach the outside world. > > * IRC something like this ought to do it : > > brctl addbr br0 > ip addr add w.x.y.z/n dev br0 > and then specify br0 when configuring VIFs in your guests.Thanks for explanations, I''ll try it. Regards, JB _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
dave
2010-Dec-20 22:45 UTC
Re: [Xen-users] Re: Network isolation - PCI passthrough question
> As far as I have seen, there are no way to attach domU nic directly to > my firewall domU. So, dom0 will always have access to network traffic > from domU, right ? >only if you add dom0 interface to bridge. for example: domu-2 : tap2 --| domu-1 : tap1 --| domu-fw : tapfw --| | tap-br0 | dom0 : tap0 --| so only do brctl addif tap-br0 tap0 when dom0 needs to join the LAN, then brctl delif tap-br0 tap0 when you want dom0 to leave the LAN. Again, I''m not sure if this is what you''re trying to do, but it will isolate dom0 from your virtual LAN. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
J. Roeleveld
2010-Dec-21 07:37 UTC
Re: [Xen-users] Network isolation - PCI passthrough question
On Monday 20 December 2010 15:08:19 Jean Baptiste FAVRE wrote:> Hello, > I thinking about using PCI passthrough to dedicated a domU as firewall. > > I understand PCI passthrough concept. When done, my domU will see > network card and the dom0 won''t any more. So I''ll be able to filter all > trafic from outside, since it will go through network domU. > > Then, how will I be able to connect other domU (and maybe dom0) to the > network domU ? > > In a normal way, creating domU makes dom0 creating vif interfaces and > bridge (in my configuration) it. But once netowkr will be isolated in a > specific domU, dom0 won''t be able to interact with it, will it ? > > Any link/help/explanation appreciated. > > Regards, > JBI actually do it this way. All the network devices are exported to my firewall- domain and I can still access the dom0 (where the Firewall allows it) Have a look at the "dummy" network interface. It works "just" like a normal NIC, eg. you can assign it an IP and you can add it to a bridge. -- Joost _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jean Baptiste FAVRE
2010-Dec-21 08:17 UTC
Re: [Xen-users] Re: Network isolation - PCI passthrough question
Le 20/12/2010 23:45, dave a écrit :>> As far as I have seen, there are no way to attach domU nic directly to >> my firewall domU. So, dom0 will always have access to network traffic >> from domU, right ? > only if you add dom0 interface to bridge. for example: > domu-2 : tap2 --| > domu-1 : tap1 --| > domu-fw : tapfw --| > | > tap-br0 > | > dom0 : tap0 --| > > so only do > brctl addif tap-br0 tap0 > when dom0 needs to join the LAN, then > brctl delif tap-br0 tap0 > when you want dom0 to leave the LAN. > > Again, I''m not sure if this is what you''re trying to do, but it will > isolate dom0 from your virtual LAN.Hello, I understand what you mean. But even if dom0 has no interface bridged, I think I''ll be able to listen to network traffic, no ? That is, a tcpdump -i tap-br0 will display network traffic from domU, right ? Then, what if I want to block that ? Will I have to use VPN (either SSL or IPSEC) in order to make dom0 unable to listen for traffic ? Is it realistic ? I want to mitigate consequences if dom0 get compromised, that''s why I''m trying to isolate network. Thanks for all explanations, I''ve many things to test now :) Regards, JB _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jean Baptiste FAVRE
2010-Dec-21 08:24 UTC
Re: [Xen-users] Re: Network isolation - PCI passthrough question
Le 20/12/2010 23:00, Peter Viskup a écrit :> On 12/20/2010 10:46 PM, Jean Baptiste FAVRE wrote: >> Le 20/12/2010 21:02, Simon Hobson a écrit : >> >>> Jean Baptiste FAVRE wrote: >>> >>> >>>> I don''t care about dom0 network as it''s just near me (test machine) :) >>>> But I do care about domU network and I''m not sure I understand your >>>> "vif >>>> bridged on lo-device". >>>> >>> I''d suggest you try manually creating a bridge with no network >>> interfaces attached to it*. You can add an IP address directly to the >>> bridge interface, and then the Dom0 and any DomUs you attach to it can >>> communicate between themselves. But with no external interface attached >>> to the bridge, nothing will have access to an outside network other than >>> through the firewall DomU. >>> >>> Apart from the lack of external NIC, this is how I run my home network. >>> I do PCI passthrough to hide a NIC (connected to an ADSL modem) from >>> Dom0, and all outside traffic passes though the virtual firewall in >>> order to reach the outside world. >>> >>> * IRC something like this ought to do it : >>> >>> brctl addbr br0 >>> ip addr add w.x.y.z/n dev br0 >>> and then specify br0 when configuring VIFs in your guests. >>> >> Thanks for explanations, I''ll try it. >> Regards, >> JB >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >> >> > > Hello Jean, > I am using this configuration with bridging of ''internal virtual'' > network for domU interconnection. Let me know in case you will be > interested in and I can send you my domU config + dom0''s > /etc/network/interfaces. > I have two servers interconnected with two Ethernet ports in bonding + > bridge on both sides and all domU''s on both servers can reach each other > via this bridged network. > Works pretty well.Hello Peter, Of course I''m interested :) For now, I''ve 2 old servers for tests, both connected via 2 ethernet ports in bonding + bridge for wan. "Lan" part is used for DRBD replication as well as live migration. I have documented the initial setup here: http://publications.jbfavre.org/virtualisation/cluster-xen-corosync-pacemaker-drbd-ocfs2.en Now I''ve removed heartbeat/pacemaker and am trying to harden dom0 security and domU isolation. That''s why I would like to remove network stuff from dom0, but I think I will still have the bridge in it. Thanks anyway, JB _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Simon Hobson
2010-Dec-21 18:53 UTC
Re: [Xen-users] Re: Network isolation - PCI passthrough question
Jean Baptiste FAVRE wrote:>I understand what you mean. But even if dom0 has no interface bridged, I >think I''ll be able to listen to network traffic, no ?...>I want to mitigate consequences if dom0 get compromised, that''s why I''m >trying to isolate network.All traffic passes through a process in Dom0 - that''s just the way it''s been built. But bear this in mind, if your Dom0 is compromised then EVERYTHING running on that physical machine is also compromised. If you control Dom0, you have access to all the guests, their memory, and their disks - as well as their network traffic. In other words, worrying about someone being able to sniff network traffic when they''ve compromised your Dom0 is a bit like the captain of the Titanic worrying about someone helping themselves at the bar while the crew are distracted by an iceberg ! -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jean Baptiste FAVRE
2010-Dec-21 19:21 UTC
Re: [Xen-users] Re: Network isolation - PCI passthrough question
Le 21/12/2010 19:53, Simon Hobson a écrit :> Jean Baptiste FAVRE wrote: > >> I understand what you mean. But even if dom0 has no interface bridged, I >> think I''ll be able to listen to network traffic, no ? > ... >> I want to mitigate consequences if dom0 get compromised, that''s why I''m >> trying to isolate network. > > All traffic passes through a process in Dom0 - that''s just the way it''s > been built. But bear this in mind, if your Dom0 is compromised then > EVERYTHING running on that physical machine is also compromised. If you > control Dom0, you have access to all the guests, their memory, and their > disks - as well as their network traffic. > > In other words, worrying about someone being able to sniff network > traffic when they''ve compromised your Dom0 is a bit like the captain of > the Titanic worrying about someone helping themselves at the bar while > the crew are distracted by an iceberg !Hello Simon, Well, didn''t saw things like that, but must admit you''re right :) And since I don''t want to be the captain of the Titanic, I think protecting dom0 from direct access with my firewall domU is better than nothing. Thanks all of you for helping me better understanding of Xen ! I''ll now make my tests, write documentation and publish it. Will keep you updated. Regards, JB _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users