I would like to jail my services Mail, HTTP, Dev into seperated VMs using Xen. I have one public IP and would like to put all domUs in a private LAN an expose the services via port forwarding.
What is best practice in this case?
- dom0 as a firewall or separated domU instance?
- how to maintain the iptables rules (Xen also creates some rules)?
Xen best practice is to disaggregate (in other words - split up) the functions of the management domain (dom0) as much as possible for security, overall system reliability, and even performance. ( http://www.cs.ubc.ca/~andy/papers/xoar-sosp-final.pdf ), See also Ian Pratt's comments on a XenReference architecture ( http://www.slideshare.net/xen_com_mgr/2-ian-pxencommunityupdate and http://vimeo.com/27655610)
If you put your NAT firewall in a domU there is also the added benefit of isolating the firewall rules to that system and so they won't conflict.