Re: [Vserver] is DMZ on dummy[0-9] good practice
Matthew Nuzum wrote: >>If I can gather all th information needed, the I am willing to write >>some doku in the wiki at linux-vserver.org :-) > > Dirk, > > If you feel capable and have the time, I suspect many would enjoy reading a > mini "how to" explaining the set up of a virtual LAN like you're doing. > > It seems like the subject comes up often enough for it to be a useful > reference. Thats why I offered to do this. I spant much time searching thru the mail archives ... But I didn't work with vlan so far, "only" a DMZ (with minimal) firewall setup. And it's working fine :-) I dont know when I can achieve this, but I will do. Greetings Dirk ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] is DMZ on dummy[0-9] good practice
On Sat, 2005-08-13 at 09:37 +0200, Dirk Ruediger wrote: > I wanted to have a DMZ and installed an additional network card to bind > all these vservers to. But then I discovered the dummy device and want > to change eth1 against dummy0 (after installing the dummy module ;-) > and remove the additional network card from the server if it can be done. > But first I want to know, if this is common =good) practice. Or should I > rather tinker with bridge and tun devices? The mailing list shows many > things possible (vlan, bridge, dummy), but I can't see, what the best > practices are. Dirk, I think that setting up "machine internal" networks on dummy interfaces is a good practise. I have been using such a configuration for a while myself. Setting them up on a real physical interface also addresses the root problem that is the motivation to do this, which is to keep their traffic off the wire even if your firewalling is turned off momentarily. Using a dummy interface, you save yourself one network card to achieve this separation. One peculiarity is that despite all vservers being defined on the dummy0 network, packets between vservers do not cross the host boundary. Instead, they are considered to pass through the loopback interface when talking between vservers, or from the host to and from any of the vservers. However, this is no problem as you simply set up your iptables rules to limit which vservers can talk to which other vservers on the loopback interface. Sam. ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] is DMZ on dummy[0-9] good practice
Hello. > > But first I want to know, if this is common =good) practice. Or should I > > rather tinker with bridge and tun devices? The mailing list shows many > > things possible (vlan, bridge, dummy), but I can't see, what the best > > practices are. > > > > If I can gather all th information needed, the I am willing to write > > some doku in the wiki at linux-vserver.org :-) > > > > Dirk, > > If you feel capable and have the time, I suspect many would enjoy reading a > mini "how to" explaining the set up of a virtual LAN like you're doing. > > It seems like the subject comes up often enough for it to be a useful > reference. > I was the one who recently bugged Herbert about this kind of setup. I had promised I would write a summary of Herbert's tips [other things came up and I had to delay ;-/ ], so I could help with a section or two (but not next week). Nevertheless, I should point that I have the impression that trying to mimic a DMZ network and an internal network through multiple vservers inside a single host doesn't give more security that just having all the vservers on the same net as the host; the impression coming mainly from Herbert's persistently calling this a "funny" scenario. It seems that "ngnet" might be what we are actually looking for... Best regards, Gilles ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] is DMZ on dummy[0-9] good practice
> I wanted to have a DMZ and installed an additional network card to bind > all these vservers to. But then I discovered the dummy device and want > to change eth1 against dummy0 (after installing the dummy module ;-) > and remove the additional network card from the server if it can be done. > > But first I want to know, if this is common =good) practice. Or should I > rather tinker with bridge and tun devices? The mailing list shows many > things possible (vlan, bridge, dummy), but I can't see, what the best > practices are. > > If I can gather all th information needed, the I am willing to write > some doku in the wiki at linux-vserver.org :-) > Dirk, If you feel capable and have the time, I suspect many would enjoy reading a mini "how to" explaining the set up of a virtual LAN like you're doing. It seems like the subject comes up often enough for it to be a useful reference. -- Matthew Nuzum <[EMAIL PROTECTED]> www.followers.net - Makers of "Elite Content Management System" View samples of Elite CMS in action by visiting http://www.followers.net/portfolio/ ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] is DMZ on dummy[0-9] good practice
On Sat, Aug 13, 2005 at 09:37:13AM +0200, Dirk Ruediger wrote: > Hi all, > > I just installed (that means 14 days ago) linux-vserver and run ~12 > vservers on one physical box running different services inside every > vserver (mail server, web server, etc.). It works great! The iptables > firewall (via firehol) is filtering all the traffic for the vservers. great! sounds like the way it's supposed to be ... > I wanted to have a DMZ and installed an additional network card to bind > all these vservers to. But then I discovered the dummy device and want > to change eth1 against dummy0 (after installing the dummy module ;-) > and remove the additional network card from the server if it can be done. sure, that can be done ... > But first I want to know, if this is common =good) practice. Or should I > rather tinker with bridge and tun devices? The mailing list shows many > things possible (vlan, bridge, dummy), but I can't see, what the best > practices are. actually it doesn't really matter which device you 'bind' the address to, because the interface will not be used for outgoing packets (if it isn't the proper route, which is very unlikely with a dummy device) and it will not be used for local traffic either ... bridge/tun sounds funny, but nobody could explain to me the purpose/feature/idea behind that ... > If I can gather all th information needed, the I am willing to write > some doku in the wiki at linux-vserver.org :-) so IMHO dummy0 should be what you want, but don't assume that packets will originate from there or leave through this interface (otherwise your setup is very broken) HTH, Herbert > Thanks for your advice. > > Greetings > Dirk > > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] is DMZ on dummy[0-9] good practice
Hi all, I just installed (that means 14 days ago) linux-vserver and run ~12 vservers on one physical box running different services inside every vserver (mail server, web server, etc.). It works great! The iptables firewall (via firehol) is filtering all the traffic for the vservers. I wanted to have a DMZ and installed an additional network card to bind all these vservers to. But then I discovered the dummy device and want to change eth1 against dummy0 (after installing the dummy module ;-) and remove the additional network card from the server if it can be done. But first I want to know, if this is common =good) practice. Or should I rather tinker with bridge and tun devices? The mailing list shows many things possible (vlan, bridge, dummy), but I can't see, what the best practices are. If I can gather all th information needed, the I am willing to write some doku in the wiki at linux-vserver.org :-) Thanks for your advice. Greetings Dirk ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
