xen-users
Re: [Xen-users] Managed Firewall
Jonathan Tripathy wrote:
Since I have plans for up to nearly 100 VMs on the same machine, how
well would Xen cope with 100 bridges?
No idea.
I also have another idea, so maybe you could tell me if it would
work or not (Using physical firewall box):
Let's say I have just one bridge per Xen host. Could I use
iptabled/ebtables to deny all inter-VM traffic? So only allow access
from the VM to the physical NIC of the box? Then on the physical
switch, I could put each port on a separate VLAN, but put the port
that the firewall is connected to on all the VLANs. Then, I assume,
the switch would send all traffic from the host ports to the
firewall port, where the firewall could do filtering? I'm not sure
if the firewall would even need to be VM aware..
Well the firewall will not have to be VM aware anyway - it just sees
traffic on VLAN ports.
As to having one bridge and VLANs, if you connect multiple VLANs to
one switch then that's the equivalent of trunking (bonding) multiple
links together and won't help. The only other way round it I can see
is to use some fudging with /32 subnets for the clients so that they
have no concept of there being 'neighbours' on the local subnet (and
then enforce it with iptable/ebtables rules to prevent direct
host-host traffic) - but that's beyond my experience and I don't know
how well it works or what pitfalls there may be.
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|