0

I would like to jail my services Mail, HTTP, Dev into seperated VMs using Xen. I have one public IP and would like to put all domUs in a private LAN an expose the services via port forwarding.

What is best practice in this case?

  • dom0 as a firewall or separated domU instance?
  • how to maintain the iptables rules (Xen also creates some rules)?
OliverS
  • 222
  • 1
  • 6
  • Also consider creating a chroot jail for each service. It's far simpler in many ways. – hookenz Sep 28 '11 at 00:41
  • I used OpenVZ before but I couldn't figure out the resource management for the life of me. I would like to have more control and give static resources as well as strict separation. – OliverS Sep 28 '11 at 08:49

1 Answers1

1

Xen best practice is to disaggregate (in other words - split up) the functions of the management domain (dom0) as much as possible for security, overall system reliability, and even performance. ( http://www.cs.ubc.ca/~andy/papers/xoar-sosp-final.pdf ), See also Ian Pratt's comments on a XenReference architecture ( http://www.slideshare.net/xen_com_mgr/2-ian-pxencommunityupdate and http://vimeo.com/27655610)

If you put your NAT firewall in a domU there is also the added benefit of isolating the firewall rules to that system and so they won't conflict.

Todd Deshane
  • 463
  • 2
  • 6