-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mathias Diehl wrote:> > Connection from outside to my firewall domU is working fine. But setup three seperate networks as I would like to is infuriatingly..... :-( >Have you looked at http://www.shorewall.net/XenMyWay.html ? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEAxhmO/MAbZfjDLIRAlu1AKCGbWX1dkgAy/Ip0KxKXJjIrRgUhgCglaA9 Evg+M+JzSFA0SGDoD7Sry8I=LolD -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hi Mat, you are using Xen 2.0.x ? If you like I can give you my Suse-like config scripts, seems that I exactly did what you are trying to do. Except that I work only with 2 bridges, because for my lan2-zone I use a nic that I also pass via dom0_hide feature into the shorewall domU. So tell me if I got it correctly that you are using 2.0.x and I''ll drop you my config Alex Mathias Diehl schrieb:> Hi List, > > first of all sorry: this is not a shorewall specific question! But somehow related... > > I tried to install a XEN server and using the default config worked exelent. Now I followed the instructions, to hide the physical eth from dom0 and passed them to a domU - here shoerwall shall secure my installation. > > I expected it to be quite simple to setup an internal network by just making some bridges in my dom0 where I can attach my domU vif''s and evething should be fine - but I just seem to miss a basic understanding of bridges and networking at all. > > Maybe here''s someone who can guide me: > - How to setup three bridges on my dom0 to work a switches for DMZ, LAN1 and LAN2. > - How to setup a dummy interface on dom0 to enable communication between the shorewall domU and dom0 as part of LAN2. > > Connection from outside to my firewall domU is working fine. But setup three seperate networks as I would like to is infuriatingly..... :-( > > thanx for any help... > > Mat > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hi List, first of all sorry: this is not a shorewall specific question! But somehow related... I tried to install a XEN server and using the default config worked exelent. Now I followed the instructions, to hide the physical eth from dom0 and passed them to a domU - here shoerwall shall secure my installation. I expected it to be quite simple to setup an internal network by just making some bridges in my dom0 where I can attach my domU vif''s and evething should be fine - but I just seem to miss a basic understanding of bridges and networking at all. Maybe here''s someone who can guide me: - How to setup three bridges on my dom0 to work a switches for DMZ, LAN1 and LAN2. - How to setup a dummy interface on dom0 to enable communication between the shorewall domU and dom0 as part of LAN2. Connection from outside to my firewall domU is working fine. But setup three seperate networks as I would like to is infuriatingly..... :-( thanx for any help... Mat ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hi Tom, thanx for your kind reply. Yes - I had a look at your example - but it didn''t fit to my idea. According your howto the physical eth is bridged and your dom0 is a fully protected host. What i like to achieve is a little bit diffrent. Maybe not even possible, but exactly here''s the lack of my understanding. In my config the eth0 and eth1 are passed directly to a domU - so dom0 doe not have any physical device at all. I thought it must be possible to setup a bridge and link two vif''s of two domU''s to enable communication between these two domU. domU1 domU2 | | eth0 eth0 | | vif1.0 vif2.0 ------------- br0 I managed to create the bridge and to ping from dom0 to domU1 and to domU2 - but not from domU1 to domU2. What I like to reach is that I can connect between domU1 and domU2 without being able to reach dom0 on these two interfaces. Any idea how to setup bridge and XEN to get this working? Maybe some iptable rules or stuff like that is necessary... cheers, Mat -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net]Im Auftrag von Tom Eastep Gesendet: Montag, 27. Februar 2006 16:19 An: shorewall-users@lists.sourceforge.net Betreff: Re: [Shorewall-users] xen related question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mathias Diehl wrote:> > Connection from outside to my firewall domU is working fine. But setupthree seperate networks as I would like to is infuriatingly..... :-(>Have you looked at http://www.shorewall.net/XenMyWay.html ? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEAxhmO/MAbZfjDLIRAlu1AKCGbWX1dkgAy/Ip0KxKXJjIrRgUhgCglaA9 Evg+M+JzSFA0SGDoD7Sry8I=LolD -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mathias Diehl wrote:>> > I thought it must be possible to setup a bridge and link two vif''s of two > domU''s to enable communication between these two domU. > > domU1 domU2 > | | > eth0 eth0 > | | > vif1.0 vif2.0 > ------------- > br0 > > > I managed to create the bridge and to ping from dom0 to domU1 and to domU2 - > but not from domU1 to domU2. What I like to reach is that I can connect > between domU1 and domU2 without being able to reach dom0 on these two > interfaces.I believe that is *exacly* what xenbr1 does in the article at http://www.shorewall.net/XenMyWay.html. What am I missing?> Any idea how to setup bridge and XEN to get this working? Maybe some iptable > rules or stuff like that is necessary...I''ve written all of the Xen documentation that I intend to write. It''s up the the Xen project to provide usable networking documentation (something that they have *not* done to this point). Xen has a lot more developers and vendor financial support than the Shorewall project does. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEAzewO/MAbZfjDLIRAlbPAJ9/5ScLUUjxq3vtgm6GI4N3H30aFACbBNEI p1wEscJqfGXMB3fRlsaGFdE=MIso -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mathias Diehl wrote:> > Hi Tom, > > thanx for your kind reply. Yes - I had a look at your example - but it > didn''t fit to my idea. > > According your howto the physical eth is bridged and your dom0 is a fully > protected host.You are looking at the wrong article -- you are reading http://www.shorewall.net/Xen.html while I am talking about http://www.shorewall.net/XenMyWay.html. There are *two* Xen-related articles on the Shorewall site -- the one you are looking at links to the other one. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEAzoVO/MAbZfjDLIRAhSfAJ9HdBfwGrP5ZvAeacR/VdQuyNRlpQCfT2KU X4IFiKgVNdmJ1M3M6PiVq6k=nvm8 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hi Tom, I totally agree with you regarding XEN''s documentation. It''s not that detailed, especially for guys like me having not that deep networking know how. However - I found someone on this list with a hint to the right direction... Thanx Alex! I believe that is *exacly* what xenbr1 does in the article at http://www.shorewall.net/XenMyWay.html. What am I missing? The point is, that you pass the eth0 of dom0 via a bridge to your firewall domU. What I like to do (and seem to be possible again in xen 3.0.2) is to physdev_hide the eth0/eth1 from dom0 and assign them directly to my fw domU. So dom0 does not have physical contact to the pci bus of eth but domU has. Sounds great for my paraniod plan ;-) However - I''ll give Alex hint a try, and if it''s working we have a howto for SUSE and Debian :-) cheers, Mat ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mathias Diehl wrote:> The point is, that you pass the eth0 of dom0 via a bridge to your firewall > domU. What I like to do (and seem to be possible again in xen 3.0.2) is to > physdev_hide the eth0/eth1 from dom0 and assign them directly to my fw domU. > So dom0 does not have physical contact to the pci bus of eth but domU has. > Sounds great for my paraniod plan ;-)Sounds good to me too but the code to do that was only released by the developer last week or the week before (unless you run Xen 2.0) and I prefer to not live on the Xen bleeding edge. If I have Xen problems then my public servers, my private server, my local wireless network, my DHCP server and my firewall are all down -- I''m not willing to risk that so I run my vendor''s supported version of Xen which is 3.0.0. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEA1H1O/MAbZfjDLIRAqjnAKCSLuWCJRY1JbQ6Th7Bt5eVoHj6MACfV9ZT nqfuz0GLKJAGtgzD1EJQelY=9ajA -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep schrieb:> > Sounds good to me too but the code to do that was only released by > the developer last week or the week before (unless you run Xen 2.0) > and I prefer to not live on the Xen bleeding edge. If I have Xen > problems then my public servers, my private server, my local > wireless network, my DHCP server and my firewall are all down -- > I''m not willing to risk that so I run my vendor''s supported version > of Xen which is 3.0.0.Hi Tom, yes, he runs 2.0.7. And that''s rock-solid. Alex ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642