Hi Dirk and Mike,
Dirk H. Schulz wrote:
> Hi Mike,
>
> Mike Tierney schrieb:
>
>> But it is still tempting to just do away with the seperate firewall vm
>> and
>> do all the firewalling in Dom0!
>> 
>>
Having got my Firewall domain working reasonably well I'd have to say that
I wouldn't go back! :) Extremely handy being able to create a Firewall,
restart it, swap in another version ... all without having to restart
my other domains!
> There is one more reason to put the firewall into a guest system: The
> guests use the smaller kernels (without hardware support etc.), so there
> is less possibility of kernel bugs that can be used to crack the
> firewall. It is more of a statistic perspective but with firewalling
> everything should be used to avoid leaks, I think.
>
The firewall domain _does_ have hardware support (ie. network cards),
so I'm not sure if your logic applies.
(ie. Firewall still has DMA)
But, still, everything else is/can be virtualised, so it's still a step
up from a dom0 (IMHO).
Marcus.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users