From: Gilles (gilles_at_harfang.homelinux.org)
Date: Tue 28 Sep 2004 - 15:19:21 BST
> >
> > +--------+ +------+
> > DMZ | Apache |-----| Exim |------+ +---
> > +--------+ +------+ | +----+ /
> > |----| FW |------| Internet
> > | +----+ \
> > +--------+ +------+ | +---
> > Private | Mysql |-----| LDAP |------+
> > +--------+ +------+ |
> > |
> > +-----+ +-----+ +-----+ |
> > Users | A |---| B |---| C |--+
> > +-----+ +-----+ +-----+
> >
> > but where there is one vserver for each of Apache, Exim, Mysql and
> > LDAP, but all are in a single physical host. FW is another physical
> > machine where there is a software firewall (maybe in its own vserver,
> > as you suggested), and A, B, C are end-users physical machines.
>
> In the sense of routing/firewalling, you probably will gain something
> out of this -
> You could create multiple iptables with different default gateways,
> per-dummyX-host firewalls, etc.
An example, maybe, of what you mean?
> However anyone connected on the same subnet (physical network, eg. on
> the same HUB/SWITCH will be able to sniff all packets traversing the
> network.
But only if the data are targetted to one of the physical machines, not
in the case of data transmission between vservers (within a single host).
> Personally I would go for 802.1q vlan's, but that's my personal opinion.
Thanks for the suggestion; I'll keep it mind, although I currently can't
test this because my ethernet is 10Mb/s.
Best regards,
Gilles
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver