-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
An Ubuntu 10.04 server running Shorewall 4.4.6.1 hosts three KVM
virtual servers on the default libvrt virbr0 bridge at the default
vnet+ bridge ports. The bridge and ports are on a separate private
subnet (192.168.122.0/24). Each bridge port and the bridge itself are
in the dmz, there are two physical interfaces and private local
subnets in loc, and one interface in net that handles a block of 5
public IP addresses. DNAT rules  accept web, imap, smtp, etc. traffic
originating on net per dest IP and forward it to the appropriate server.
The setup works quite well with one problem: when starting the host
server it''s necessary to restart Shorewall once the bridge and KVM
systems are up. Not a huge problem except that if there''s an extended
power failure (such that the UPS gets drained and the server shuts
itself down), no one is  there to log on and restart Shorewall after
power recovery & automatic server startup.
Two questions then, the first being the more important.
Q1: Is it possible to use the existing setup with privately-subnetted
libvrt bridge virbr0 yet not have to restart Shorewall? Or, using an
explicitly declared bridge instead it should be possible to manage the
startup so that a Shorewall restart is unnecessary, perhaps with a
script similar to what''s linked on the Shorewall-KVM documentation
page. But I don''t quite understand how to set up such a script for
proper startup execution; place the reference in the appropriate
/etc/rc<n>.d runlevel folders?
Q2: Such an explict bridge might be on the existing private subnet
but, as in the brouter setup in the Shorewall 4.4 documentation pages,
using a explicitly declared bridge in a ''pubic'' zone along
with public
addresses for the servers on each bridge port in the dmz zone and a
bridge port tied to the physical eth0 external public interface might
be faster or better. I''ve tried some possibilities but so far I
haven''t been so successful in getting this alternate setup to work.
Here''s one example of what I tried. The KVM servers each were moved to
their respective fixed public IPs.
/etc/network/interfaces. Also tried this without declaring eth0:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet manual
auto br0
iface br0 inet static
        address 71.245.97.170
        netmask 255.255.255.0
        network 71.245.97.0
        broadcast 71.245.97.255
        gateway 71.245.97.1
        bridge_ports eth0
        bridge_fd 0
        bridge_stp off
        bridge_maxwait 0
        up ip addr add 71.245.97.171 dev br0
        up ip addr add 71.245.97.172 dev br0
        up ip addr add 71.245.97.174 dev br0
[standard local interfaces eth1 & eth2 / private subnet declarations...]
Shorewall zones:
fw        firewall
loc        ipv4
pub        ipv4
net:pub     bport4
dmz:pub     bport4
Shorewall interfaces. Maybe this is incorrect. should the net and dmz
zones include the bridge option, and what about routeback? This bit is
the least understood by myself.
pub    br0              detect       bridge,routefilter
net    br0:eth0         -        
dmz    br0:vnet+        -               
loc    eth1            detect       
tcpflags,dhcp,nosmurfs,routefilter,logmartians
loc    eth2            detect       
tcpflags,dhcp,nosmurfs,routefilter,logmartians
Shorewall params. This seems to do what it should when expanding rules
etc, but does the bridge IP (...170) go in here too?
SERVERS=71.245.97.171,71.245.97.172,71.245.97.174
DMZ=pub:$SERVERS
NET=pub:!$SERVERS
Shorewall policy:
loc        pub        ACCEPT
loc        $FW        REJECT    info
loc        all        REJECT    info
$FW        pub        REJECT    info
$FW        loc        REJECT    info
$FW        all        REJECT    info
dmz        net        REJECT    info
dmz        $FW        REJECT    info
dmz        loc        REJECT    info
dmz        all        REJECT    info
net        dmz        DROP        info
net        $FW        DROP        info
net        loc        DROP        info
net        all        DROP        info
# THE FOLLOWING POLICY MUST BE LAST
all        all        REJECT        info
Shorewall rules:
# host server serves DNS for the local subnets
DNS(ACCEPT)    $FW        $NET
DNS(ACCEPT)    loc        $FW
#dmz servers get DNS from the outside
DNS(ACCEPT)    $DMZ        $NET
SSH(ACCEPT)     loc             $FW
Ping(DROP)       $NET             $FW
Ping(ACCEPT)    loc             $FW
Ping(ACCEPT)    $DMZ            $FW
Ping(ACCEPT)    loc             $DMZ
Ping(ACCEPT)    $DMZ            loc
Ping(ACCEPT)    $DMZ            $NET
ACCEPT        $FW        $NET        icmp
ACCEPT        $FW        loc        icmp
ACCEPT        $FW        $DMZ        icmp
# host server runs ntpd for all
NTP(ACCEPT)    $FW        $NET
NTP(ACCEPT)    $DMZ        $FW
NTP(ACCEPT)    loc        $FW
Web(ACCEPT)    $NET        $DMZ
Web(ACCEPT)    $DMZ        $NET
Web(ACCEPT)    $FW        $NET
Web(ACCEPT)    loc        $FW
ACCEPT        loc        $FW    tcp    81
Mail(ACCEPT)    $NET        $DMZ
Mail(ACCEPT)    $DMZ        $NET
Mail(ACCEPT)    $FW        $NET
Mail(ACCEPT)    $FW        $DMZ
IMAP(ACCEPT)    $NET        $DMZ
IMAPS(ACCEPT)    $NET        $DMZ
Any comments on the above configuration would be very much appreciated.
It''s a little involved to switch configurations because the host
network, Shorewall, and KVM all have to change, and then we''re are
down for testing, but no problem to do that at night and then I can
post more detailed info. Would be nice to have another, test, server
but the other physical server here is too old to support KVM...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJMwIv/AAoJEFJ3a0HNXtk2hCUIAIp+R/7kD2Yh2NA3U+wV+4WW
nmeYDx7Yntrc4udOXhn72qyiIjqA/C17yyF0ogkPR0ig8DHm5HR24YQWpHbHT3qP
QW8yiKlb20BKoZeKCN08hK0FV6tzPbxG4F9i1YxUooFROEq4L3jjUbD0wOMnKz/H
+Iaahc2tEdzSIBRi7OAfQTmp8FgFuuX1Y5lKvFRXqY4BDUY03l/Tz/yciQbVmltW
xaNPsNeu+SgjE2O2Fus4/N7WCqrpx8ssYWwUg+kweWI1rhAzBsW2PO1KQmV/Aj3L
VgFNNj4RXajV5kCauaApra+xcnUMzCpPy7qCzDg0Kt+A2G6SBdlNwQs9x+Wfsps=5zc8
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
On 10/21/10 11:52 AM, Dr John wrote:> > An Ubuntu 10.04 server running Shorewall 4.4.6.1 hosts three KVM > virtual servers on the default libvrt virbr0 bridge at the default > vnet+ bridge ports. The bridge and ports are on a separate private > subnet (192.168.122.0/24). Each bridge port and the bridge itself are > in the dmz, there are two physical interfaces and private local > subnets in loc, and one interface in net that handles a block of 5 > public IP addresses. DNAT rules accept web, imap, smtp, etc. traffic > originating on net per dest IP and forward it to the appropriate server. > > The setup works quite well with one problem: when starting the host > server it''s necessary to restart Shorewall once the bridge and KVM > systems are up. Not a huge problem except that if there''s an extended > power failure (such that the UPS gets drained and the server shuts > itself down), no one is there to log on and restart Shorewall after > power recovery & automatic server startup. > > Two questions then, the first being the more important.<much stuff snipped>> > Any comments on the above configuration would be very much appreciated. >Why don''t we try to understand why your current configuration requires the restart and fix that? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
On Fri, Oct 22, 2010 at 11:34 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 10/21/10 11:52 AM, Dr John wrote: >> >> An Ubuntu 10.04 server running Shorewall 4.4.6.1 hosts three KVM >>... > > Why don''t we try to understand why your current configuration requires > the restart and fix that?Maybe not related, but my Ubuntu routers (9.10 and 10.04) seem to have this problem too. No KVM or bridging, but using bonding and vlans. I would like to blame upstart but I have no proof. It''s complex enough that I have trouble figuring out everything that''s going on, so my "fix" is to move them to Debian. Brad C ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
On 10/22/10 10:01 PM, Brad Clarke wrote:> On Fri, Oct 22, 2010 at 11:34 PM, Tom Eastep <teastep@shorewall.net> wrote: >> On 10/21/10 11:52 AM, Dr John wrote: >>> >>> An Ubuntu 10.04 server running Shorewall 4.4.6.1 hosts three KVM >>> ... >> >> Why don''t we try to understand why your current configuration requires >> the restart and fix that? > > Maybe not related, but my Ubuntu routers (9.10 and 10.04) seem to have > this problem too. No KVM or bridging, but using bonding and vlans. I > would like to blame upstart but I have no proof. It''s complex enough > that I have trouble figuring out everything that''s going on, so my > "fix" is to move them to Debian.That would be my preferred ''fix'' as well. Nevertheless, Shorewall can be configured so that it doesn''t require interfaces to even exist when Shorewall starts so it should be possible to get the OP''s configuration to work. Dr John: The output of ''shorewall dump'' collected before the ''shorewall restart'' and similar output collected after the ''shorewall restart'' should be enough for us to see what is needed. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I rebooted with the KVMs set for autostart, attempted IMAP connections to them from a system on loc (failed), saved output of shorewall dump, then restarted Shorewall and repeated successfully. Attached file includes: swdump-after.log swdump-before.log where ''before'' and ''after'' are relative to the restart of Shorewall. Thanks for having a look, John On 10/23/2010 09:21 AM, Tom Eastep wrote:> On 10/22/10 10:01 PM, Brad Clarke wrote: >> On Fri, Oct 22, 2010 at 11:34 PM, Tom Eastep <teastep@shorewall.net> wrote: >>> On 10/21/10 11:52 AM, Dr John wrote: >>>> >>>> An Ubuntu 10.04 server running Shorewall 4.4.6.1 hosts three KVM >>>> ... >>> >>> Why don''t we try to understand why your current configuration requires >>> the restart and fix that? >> >> Maybe not related, but my Ubuntu routers (9.10 and 10.04) seem to have >> this problem too. No KVM or bridging, but using bonding and vlans. I >> would like to blame upstart but I have no proof. It''s complex enough >> that I have trouble figuring out everything that''s going on, so my >> "fix" is to move them to Debian. > > That would be my preferred ''fix'' as well. Nevertheless, Shorewall can be > configured so that it doesn''t require interfaces to even exist when > Shorewall starts so it should be possible to get the OP''s configuration > to work. > > Dr John: The output of ''shorewall dump'' collected before the ''shorewall > restart'' and similar output collected after the ''shorewall restart'' > should be enough for us to see what is needed. > > -Tom > > > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMw3jbAAoJEFJ3a0HNXtk2T9sH/138vR+2QdD6quW/lU4bRYvz qi46v21wwGQUb4VQVk+EpBmGkMbcDIbMavluWWoYwcuoVnTJ+adxUCx544J1Lei+ /Pqr/EBP2TS0ads2vsTk+OaLxYhNExo7ZbgTLqdiKZ3XvjbNDn/AdI2b92VAMjPy zZ+UosZVb4B0Ea8XaI32JzaZ7NvrjXTqj7y0Om6xgvquoKHh2+08+PWnWFz3TJwt 4I61EwM4Lz0fQFoPbhEkUx6MCgL7yw2E1Yd94mX5PreXPYWJJ+j/w+TC38K1am8Q t/NR3OWgGxQnrT2z4tfE9306uXbSA4Z0WaGVHrhsAONATVRjGREOxJVObf0OSS4=bLmU -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
On 10/23/10 5:08 PM, Dr John wrote:> I rebooted with the KVMs set for autostart, attempted IMAP connections > to them from a system on loc (failed), saved output of shorewall dump, > then restarted Shorewall and repeated successfully. > > Attached file includes: > > swdump-after.log swdump-before.log > > where ''before'' and ''after'' are relative to the restart of Shorewall. >Please forward the contents of: /etc/shorewall/masq /etc/shorewall/net Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 /etc/shorewall/nat is empty (assuming you meant ''nat'' and not ''net'') /etc/shorewall.masq: eth0 192.168.0.0/22 I since changed the IP range to 192.168.0.0/17, thinking that maybe the .../22 was not passing the 192.168.122.0 subnet, but the change seemed to make no difference as far as needing to restart shorewall. Is it necessary to have a masq file in this setup with one external interface? == Some extra information =The mail clients (Thunderbird or iPhones) when on loc or in the wild use the FQDN of the IMAP servers (e.g. mail.mydomain.com) and not the internal VM host name (e.g. m2a74am_vm1). So, when configuring this setup, I found that a pair of rules like these, for example (there are similar ones for HTTP, HTTPS, SMTP, etc etc): DNAT net dmz:192.168.122.11 tcp 143 - 71.245.97.172 DNAT loc dmz:192.168.122.11 tcp 143 - 71.245.97.172 would forward IMAP to the designated virtual IMAP server from both net and loc based clients. That this worked at all for loc seemed strange to me, but the traffic is being sent from loc to the designated original destination, after all. Looking through the rules file just now I see what might be some redundancies and unnecessary lines that I''ll clean up and test for functionality. These shouldn''t involve IMAP, but I''ll verify the need to restart Shorewall. I''ll keep the current version on hand, of course. Thanks, John On 10/23/2010 08:36 PM, Tom Eastep wrote:> On 10/23/10 5:08 PM, Dr John wrote: >> I rebooted with the KVMs set for autostart, attempted IMAP connections >> to them from a system on loc (failed), saved output of shorewall dump, >> then restarted Shorewall and repeated successfully. >> >> Attached file includes: >> >> swdump-after.log swdump-before.log >> >> where ''before'' and ''after'' are relative to the restart of Shorewall. >> > > Please forward the contents of: > > /etc/shorewall/masq > /etc/shorewall/net > > Thanks, > -Tom > > > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMw7jmAAoJEFJ3a0HNXtk2X2oIAJrW5r7MCaVZE8/yTwiWMcms Shk+Tuw6hnFFs80RDLMxE2umsImatw3U3mSneW6K/Amv43kGcq5lpex+8cc1Lg1n m9qkguRrHYu15+/PnADK86Khd/0ThZkBohYL7uFv0SXza0N7gChSvs8LwMZJHA6Y s05pkIjR9hEKRk6+OFO4c87eh7uMTKRykXGvfDrGORirB1KIC2AKLwDclu33GjEa sk45aVN50bZWNle1OCzs2gMISjXDjS9K5Ev+WuIV86k6Xud+wj6gmN/GIhb1cFOR zLXJ113TNH3eqL7xj9YmPPGosV3n46Nu9zd+mx4apN1X0TxR+dhTSv9Iyri1OJA=7xiT -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
On 10/23/10 9:41 PM, Dr John wrote:> /etc/shorewall/nat is empty (assuming you meant ''nat'' and not ''net'') > > /etc/shorewall.masq: > > eth0 192.168.0.0/22 >Okay -- the problem is that you have a second iptables configuration tool installed on your system. That tool is starting after Shorewall and is inserting it''s own set of rules ahead of those generated by Shorewall. ''shorewall restart'' re-establishes the correct ruleset. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As far as I know, the only other installed tool is ufw: root@m2a74am:/etc# ufw status Status: inactive root@m2a74am:/etc# and: root@m2a74am:/etc/ufw# cat ufw.conf # /etc/ufw/ufw.conf # # set to yes to start on boot ENABLED=no # set to one of ''off'', ''low'', ''medium'', ''high'' LOGLEVEL=low root@m2a74am:/etc/ufw# Can you suggest some other possibilities? Thanks, John On 10/24/2010 05:45 AM, Tom Eastep wrote:> On 10/23/10 9:41 PM, Dr John wrote: >> /etc/shorewall/nat is empty (assuming you meant ''nat'' and not ''net'') >> >> /etc/shorewall.masq: >> >> eth0 192.168.0.0/22 >> > > Okay -- the problem is that you have a second iptables configuration > tool installed on your system. That tool is starting after Shorewall and > is inserting it''s own set of rules ahead of those generated by > Shorewall. ''shorewall restart'' re-establishes the correct ruleset. > > -Tom > > > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMxGqeAAoJEFJ3a0HNXtk227MH/R/mYglZNUqNzTE1eT07ZLw9 BuOYWDLvpQ890lIJs/XrpgQthOxprpZrzVHlA3HwhDZ6Xnm5VpVYrCXpW+NFDfcG Tr3s8GGeGMhfWWwyM/wandtRelI5wJ21ccFol1XADzisaxyWdrs9m+qL6CdTqXGW jiu1p1HsgCb2B9W4RDEaOzgZBpLWxK1aqvq7FTZ3B2df9PFl6atdNGOkQqXEPJFx 6zd4icbRFbN+3Aw6ZOFHSsfzQSdBHkRKa/Kx5p1p9hNIavK5HGZtyYkriyIKc9G0 Qz/Y9J1XAxi5iw52LDivcAjBpHpXJ3ua7zsTancI8VdX6jiAEWoQbOzh2PTCDW8=YA4T -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
On 10/24/10 10:19 AM, Dr John wrote:> Can you suggest some other possibilities?No. All I can tell you is that there are rules at the beginning of each of the built-in chains that were not added by the Shorewall-generated script. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Found it: According to the libvrt documentation, when using the default virtual bridge ''user mode'' it sets up iptables rules to NAT the VMs. The virtual bridge is ''not to be connected to a physical interface.'' I think I''m back to the original post: changing to a bridged configuration declared in /etc/networking/interfaces or such. - -- John On 10/24/2010 02:50 PM, Tom Eastep wrote:> On 10/24/10 10:19 AM, Dr John wrote: > >> Can you suggest some other possibilities? > > No. All I can tell you is that there are rules at the beginning of each > of the built-in chains that were not added by the Shorewall-generated > script. > > -Tom > > > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMxP6qAAoJEFJ3a0HNXtk2oAoH+weYltE55aQbCgzoQSlLRARZ rGo4ysRuAzP6/oVpmQZkCfZjSjeiKn2uFyirkKcsbJcD71rRlhQG+fxxMMZBJnjt yZTqBAPNzlj2haxMMjGNGtRFbOQOa5j1wDe+xcAB9CdTMu5erKCClNtjl2vnz/G1 WQu6YLya/lIf4n45xEXnIQPFWz5fxO0n8yUi2kHgW/Pv+s2eEAsTU1W1fPSZRceu z/7LQ5/wil7lFXjI+t0qr2ZNXkBFSGvu+qPEH+7OUhD/5QEZ/e2C7lSlFaUOZPp3 mOsmyNU1+9RCu3CU6jEn2ArIbV3woaF6MySf+mW28fIw33OYMCsuSPaimsbNPL4=np5b -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev