Following up on my postings from last week, where I said: > In an attempt to avoid having to use the multi-ISP stuff, I tried > an experiment this evening in which I set up Xen on my firewall > and created a domU to handle one of my external IP addresses.
I tried running Shorewall both on the dom0 and also on each domU, but I ran into problems, and Simon Hobson wrote: > Take a piece of advice: Don't try to run a firewall, especially > using masq, in Dom0. I'm not sure anyone in the world truly > understands networking under Xen, and even Tom himself has > effectively said "don't do it" (in previous threads). So I rebuilt my experimental system, using Shorewall in each domU, but no firewalling in the dom0. The internal (LAN) interface is bridged amongst the domU's and the dom0. The external (Internet) interface is also bridged amongst the domU's and the dom0, but I assigned a bogus IP address to the external NIC in the dom0, and the dom0's default route points to one of the domU's, so no traffic goes out directly to the Internet via the dom0. This setup appears to work. One advantage (in my environment, with multiple external IP addresses) is that the Shorewall configuration in each domU only has to deal with one external IP address, so the configurations are easier to deal with than when everything was in one big configuration. The main failing is that I can no longer have a single default route for every machine in my LAN. This isn't a showstopper issue, because each server that has a dedicated external IP address can simply be reconfigured to use the corresponding domU as its default route, and everyone else (workstations, laptops, etc.) can use the "default" domU as their default route. It would still be nice if I could somehow advertise the dom0 as the default gateway in my LAN, and configure the dom0 in some way to pass outbound traffic to this or that domU as appropriate, but I can live without that if necessary. -- Rich Wales === Palo Alto, CA, USA === [EMAIL PROTECTED] http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
