Re: [Vserver] is DMZ on dummy[0-9] good practice
Matthew Nuzum wrote: If I can gather all th information needed, the I am willing to write some doku in the wiki at linux-vserver.org :-) Dirk, If you feel capable and have the time, I suspect many would enjoy reading a mini how to explaining the set up of a virtual LAN like you're doing. It seems like the subject comes up often enough for it to be a useful reference. Thats why I offered to do this. I spant much time searching thru the mail archives ... But I didn't work with vlan so far, only a DMZ (with minimal) firewall setup. And it's working fine :-) I dont know when I can achieve this, but I will do. Greetings Dirk ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] is DMZ on dummy[0-9] good practice
Hello. But first I want to know, if this is common =good) practice. Or should I rather tinker with bridge and tun devices? The mailing list shows many things possible (vlan, bridge, dummy), but I can't see, what the best practices are. If I can gather all th information needed, the I am willing to write some doku in the wiki at linux-vserver.org :-) Dirk, If you feel capable and have the time, I suspect many would enjoy reading a mini how to explaining the set up of a virtual LAN like you're doing. It seems like the subject comes up often enough for it to be a useful reference. I was the one who recently bugged Herbert about this kind of setup. I had promised I would write a summary of Herbert's tips [other things came up and I had to delay ;-/ ], so I could help with a section or two (but not next week). Nevertheless, I should point that I have the impression that trying to mimic a DMZ network and an internal network through multiple vservers inside a single host doesn't give more security that just having all the vservers on the same net as the host; the impression coming mainly from Herbert's persistently calling this a funny scenario. It seems that ngnet might be what we are actually looking for... Best regards, Gilles ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] is DMZ on dummy[0-9] good practice
On Sat, Aug 13, 2005 at 09:37:13AM +0200, Dirk Ruediger wrote: Hi all, I just installed (that means 14 days ago) linux-vserver and run ~12 vservers on one physical box running different services inside every vserver (mail server, web server, etc.). It works great! The iptables firewall (via firehol) is filtering all the traffic for the vservers. great! sounds like the way it's supposed to be ... I wanted to have a DMZ and installed an additional network card to bind all these vservers to. But then I discovered the dummy device and want to change eth1 against dummy0 (after installing the dummy module ;-) and remove the additional network card from the server if it can be done. sure, that can be done ... But first I want to know, if this is common =good) practice. Or should I rather tinker with bridge and tun devices? The mailing list shows many things possible (vlan, bridge, dummy), but I can't see, what the best practices are. actually it doesn't really matter which device you 'bind' the address to, because the interface will not be used for outgoing packets (if it isn't the proper route, which is very unlikely with a dummy device) and it will not be used for local traffic either ... bridge/tun sounds funny, but nobody could explain to me the purpose/feature/idea behind that ... If I can gather all th information needed, the I am willing to write some doku in the wiki at linux-vserver.org :-) so IMHO dummy0 should be what you want, but don't assume that packets will originate from there or leave through this interface (otherwise your setup is very broken) HTH, Herbert Thanks for your advice. Greetings Dirk ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] is DMZ on dummy[0-9] good practice
I wanted to have a DMZ and installed an additional network card to bind all these vservers to. But then I discovered the dummy device and want to change eth1 against dummy0 (after installing the dummy module ;-) and remove the additional network card from the server if it can be done. But first I want to know, if this is common =good) practice. Or should I rather tinker with bridge and tun devices? The mailing list shows many things possible (vlan, bridge, dummy), but I can't see, what the best practices are. If I can gather all th information needed, the I am willing to write some doku in the wiki at linux-vserver.org :-) Dirk, If you feel capable and have the time, I suspect many would enjoy reading a mini how to explaining the set up of a virtual LAN like you're doing. It seems like the subject comes up often enough for it to be a useful reference. -- Matthew Nuzum [EMAIL PROTECTED] www.followers.net - Makers of Elite Content Management System View samples of Elite CMS in action by visiting http://www.followers.net/portfolio/ ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
