Hi All,
I''m trying to use shorewall to manage the firewall of a xen dom0
installation but not for the bridges.
I''m using shorewall-perl 4.0.8-1 on a Debian testing.
Basically I want to allow all traffic between the virtual interfaces
connected to the bridge called "lan" in the zone "lan".
Because the virtual interfaces are added at runtime to the bridge I
can''t enumerate them in the shorewall configuration following the
tutorial available at
http://www.shorewall.net/bridge-Shorewall-perl.html
Also the release notes /usr/share/doc/shorewall-perl/releasenotes.txt.gz
states that:
Bridge ports must now be defined in /etc/shorewall/interfaces.
So, if I understand correctly currently there isn''t a way to allow the
traffic in the bridge in an implicit way.
A little extract from my configuration.
$ sudo brctl show
bridge name bridge id STP enabled interfaces
lan 8000.feffffffffff no xen1fw.0
aptproxy.0
[and so on]
$ sudo cat /etc/shorewall/zones | grep lan
lan ipv4
$ sudo cat /etc/shorewall/policy | egrep ''lan|all''
lan lan ACCEPT info
all all DROP info
$ sudo cat /etc/shorewall/interfaces | grep lan
lan lan detect routefilter,bridge
n
$ sudo dmesg | grep DROP | head -n1
Mar 19 23:01:53 xen1 kernel: Shorewall:FORWARD:DROP:IN=lan OUT=lan
PHYSIN=xen1fw.0 PHYSOUT=aptproxy.0 SRC=10.200.0.254 DST=10.200.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=52487 SEQ=4
Shorewall seems to block all traffic inside the bridge because it goes
in the FORWARD chain (default DROP), which has no target lan2lan and
the lan2lan chain hasn''t any reference...
Even if I explicit the ip range for example in /etc/shorewall/rules
ACCEPT lan:10.0.0.0/8 lan:10.0.0.0/8
the lan2lan chain will continue to have 0 reference.
Maybe I don''t have got the full view to understand why shorewall work
in this way and if I could reach what I want, which seem to me pretty
simple to express.
For now I use this workaround in the script /etc/shorewall/start
#!/bin/sh
NUM=`iptables --line-numbers -nL FORWARD | sed -n ''2,$p'' |
grep -si drop
| head -n 1 | cut -d '' '' -f1`
iptables -I FORWARD $NUM -i lan -o lan -j lan2lan
Thanks in advance for your suggestions,
Daniele Pizzolli
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Daniele Pizzolli wrote:> Basically I want to allow all traffic between the virtual interfaces > connected to the bridge called "lan" in the zone "lan".Have you looked at http://www.shorewall.net/SimpleBridge.html? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Daniele Pizzolli wrote:> Hi All, > > I''m trying to use shorewall to manage the firewall of a xen dom0 > installation but not for the bridges. > > I''m using shorewall-perl 4.0.8-1 on a Debian testing. > > Basically I want to allow all traffic between the virtual interfaces > connected to the bridge called "lan" in the zone "lan". > > Because the virtual interfaces are added at runtime to the bridge I > can''t enumerate them in the shorewall configuration following the > tutorial available at > http://www.shorewall.net/bridge-Shorewall-perl.html > > Also the release notes /usr/share/doc/shorewall-perl/releasenotes.txt.gz > states that: > > Bridge ports must now be defined in /etc/shorewall/interfaces. > > So, if I understand correctly currently there isn''t a way to allow the > traffic in the bridge in an implicit way. > > A little extract from my configuration. > > $ sudo brctl show > bridge name bridge id STP enabled interfaces > lan 8000.feffffffffff no xen1fw.0 > aptproxy.0 > [and so on] > > $ sudo cat /etc/shorewall/zones | grep lan > lan ipv4 > > $ sudo cat /etc/shorewall/policy | egrep ''lan|all'' > lan lan ACCEPT info > all all DROP info > > $ sudo cat /etc/shorewall/interfaces | grep lan > lan lan detect routefilter,bridge > nNot that I have tried this with a bridge, but the in/out traffic below is on the same interface, might want to try "routeback" as an option here.> $ sudo dmesg | grep DROP | head -n1 > Mar 19 23:01:53 xen1 kernel: Shorewall:FORWARD:DROP:IN=lan OUT=lan > PHYSIN=xen1fw.0 PHYSOUT=aptproxy.0 SRC=10.200.0.254 DST=10.200.0.1 > LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 > ID=52487 SEQ=4 > > Shorewall seems to block all traffic inside the bridge because it goes > in the FORWARD chain (default DROP), which has no target lan2lan and > the lan2lan chain hasn''t any reference... >hope that helps, Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Thursday 20 March 2008 00:53, Tom Eastep wrote:> Daniele Pizzolli wrote: > > Basically I want to allow all traffic between the virtual > > interfaces connected to the bridge called "lan" in the zone "lan". > > Have you looked at http://www.shorewall.net/SimpleBridge.html?Oh, yes, but not with the right attention. Thanks for shorewall and for your patience. The routeback option is the key as explicited by Jerry Vonau. Now another question arise. Why is routeback necessary even if I explicit a lan lan policy? I''m sure I could find the answer myself carefully re-reading the documentation. Best regards, Daniele Pizzolli ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Daniele Pizzolli wrote:> On Thursday 20 March 2008 00:53, Tom Eastep wrote: >> Daniele Pizzolli wrote: >>> Basically I want to allow all traffic between the virtual >>> interfaces connected to the bridge called "lan" in the zone "lan". >> Have you looked at http://www.shorewall.net/SimpleBridge.html? > > Oh, yes, but not with the right attention. > Thanks for shorewall and for your patience. > The routeback option is the key as explicited by Jerry Vonau. Now > another question arise. Why is routeback necessary even if I explicit a > lan lan policy?Because I dislike side-effects. While it might seem reasonable to imply ''routeback'' from an explicit lan->lan policy when there is only one interface to the ''lan'' zone, what about if there are two? Should each of them have ''routeback'' set automatically? What if that''s not what the user intended? Then we would need a ''norouteback'' option to undo what Shorewall had done automatically. So it seems more consistent to simply require ''routeback'' when the user wants/needs it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/