Hi Roberto On 2015-04-21 19:49, Roberto C. Sánchez wrote: > Personally, I like the approach of running Shorewall inside of each > domU. But then, I employ the "every node on the network is untrusted > by > default" approach. I have all the physical interfaces in the dom0 > (with > the dom0 only filtering traffic on its own virtual interface which is > connected to the phsycal bridge interface. Each domU is then connected > to the bridg by the dom0, but the domU is responsible for its own > filtering.
I understand the "trust noone" approach. More work, but better safe than sorry! In your approach, which do you use as the connection to the 'net? In other words, your 'edge'? The Dom0 or one of the DomUs? With no interfaces passed through, I'm guessing the Dom0? I understand that approach, but it kindof goes against the grain of 'doing' as little as possible in the Dom0. Maybe this is one the things that *should* be? aleph ------------------------------------------------- ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
