From: Sam Vilain (sam_at_vilain.net)
Date: Mon 15 Aug 2005 - 01:19:55 BST
On Sat, 2005-08-13 at 09:37 +0200, Dirk Ruediger wrote:
> I wanted to have a DMZ and installed an additional network card to bind
> all these vservers to. But then I discovered the dummy device and want
> to change eth1 against dummy0 (after installing the dummy module ;-)
> and remove the additional network card from the server if it can be done.
> But first I want to know, if this is common =good) practice. Or should I
> rather tinker with bridge and tun devices? The mailing list shows many
> things possible (vlan, bridge, dummy), but I can't see, what the best
> practices are.
I think that setting up "machine internal" networks on dummy interfaces
is a good practise. I have been using such a configuration for a while
myself. Setting them up on a real physical interface also addresses the
root problem that is the motivation to do this, which is to keep their
traffic off the wire even if your firewalling is turned off momentarily.
Using a dummy interface, you save yourself one network card to achieve
One peculiarity is that despite all vservers being defined on the dummy0
network, packets between vservers do not cross the host boundary.
Instead, they are considered to pass through the loopback interface when
talking between vservers, or from the host to and from any of the
However, this is no problem as you simply set up your iptables rules to
limit which vservers can talk to which other vservers on the loopback
Vserver mailing list