I am not a Xen expert, but AFAICT, you can configure iptables in the VM
and in the host.
note that I am not saying you should do that. it really depends on your
setup. if you can script the work to implement "centralized" admin, then
it may be worth the pain.
Yeah, I'm using to scripting iptables upon VM boot and shutdown for
customers, so setting this up for iptables should be ok. Xen makes life
so much easier by giving each VM an interface, so you can filter based
on that.
So you think given this, that placing the mail sever in the DMZ is ok then?
sure it is. as already recommended, you can use VLAN to implement
logical segmentation inside a zone (provided your VLAN implementation
can't be circumvented. remember, this is only logical...).
Think it would be ok if I didn't use VLAN segmentation, but just used
iptables between hosts? I think this would nearly achieve the same thing...
