Shorewall users - Oct 2012 - Proxmox v2.x, Debian

Hi,

I hope this is not a stupid question! A client is currently running a cluster of
Proxmox1.6/OpenVZ servers making extensive use of Shorewall on both the hosts
and the containers. I am investigating the possibility of upgrading to Proxmox
v2.1.

In the Shorewall.net documentation about using Shorewall with OpenVZ there is a
warning:

     "If you are running Debian Squeeze, Shorewall will not work in an
OpenVZ container.
      This is a Debian OpenVZ issue and not a Shorewall issue."

Proxmox v2.1 runs on Debian Squeeze (6.0).

I assume this means that running the HOST on Debian Squeeze menas that you
cannot run Shorewall in a container - but will it still work to protect the host
or should it not be used at all. I am having trouble accessing any containers
externally (e.g. a squid container) if I install Shorewall on the host
(currently this is in a test VirtualBox environment so not ideal). I''d
like to know whether this is because I''ve not got the setup correct or
it just won''t work!

Secondly - does this apply to the newer kernel (I''m running
2.6.32-14-pve) and/or newest Debian (6.0.6).

Thanks.


-- 
Regards,

John Hackett
Icon Information Systems
74 Gibsons Hill, Norbury, London, SW16 3JS
t: 020 8764 2663
f: 020 8711 3370
m: 07801-231118
e: john.hackett@icon-is.co.uk
w: www.icon-is.co.uk
skype: john_hackett
twitter: @iconinfosys

------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html

On 10/01/2012 03:14 AM, John M. Hackett wrote:
> Hi,
> 
> I hope this is not a stupid question! A client is currently running a
> cluster of Proxmox1.6/OpenVZ servers making extensive use of
> Shorewall on both the hosts and the containers. I am investigating
> the possibility of upgrading to Proxmox v2.1.
> 
> In the Shorewall.net documentation about using Shorewall with OpenVZ
> there is a warning:
> 
> "If you are running Debian Squeeze, Shorewall will not work in an
> OpenVZ container. This is a Debian OpenVZ issue and not a Shorewall
> issue."
> 
> Proxmox v2.1 runs on Debian Squeeze (6.0).
> 
> I assume this means that running the HOST on Debian Squeeze menas
> that you cannot run Shorewall in a container - but will it still work
> to protect the host or should it not be used at all. I am having
> trouble accessing any containers externally (e.g. a squid container)
> if I install Shorewall on the host (currently this is in a test
> VirtualBox environment so not ideal). I''d like to know whether
this
> is because I''ve not got the setup correct or it just
won''t work!
I suspect that you have a Shorewall issue. The problem referred to in
the article only affects Shorewall running in a container.
> 
> Secondly - does this apply to the newer kernel (I''m running
> 2.6.32-14-pve) and/or newest Debian (6.0.6).
> 
We''ve had reports that the problem has been corrected in current Debian
Squeeze OpenVZ kernels.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html

Thanks for the very quick reply Tom.

I went back to square one and now do have it all working as it should be.
Shorewall on Host (Debian 6.x) and running in a Centos 6.x container. These are
all venet based rules as I''m working in a VirtualBox environment so
next stage is to install on some test hardware (should be coming in a few days)
with bridged networking.

-- 
Regards,

John Hackett
Icon Information Systems
74 Gibsons Hill, Norbury, London, SW16 3JS
t: 020 8764 2663
f: 020 8711 3370
m: 07801-231118
e: john.hackett@icon-is.co.uk
w: www.icon-is.co.uk
skype: john_hackett
twitter: @iconinfosys

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: shorewall-users@lists.sourceforge.net
Sent: Monday, 1 October, 2012 2:32:02 PM
Subject: Re: [Shorewall-users] Proxmox v2.x, Debian

On 10/01/2012 03:14 AM, John M. Hackett wrote:
> Hi,
> 
> I hope this is not a stupid question! A client is currently running a
> cluster of Proxmox1.6/OpenVZ servers making extensive use of
> Shorewall on both the hosts and the containers. I am investigating
> the possibility of upgrading to Proxmox v2.1.
> 
> In the Shorewall.net documentation about using Shorewall with OpenVZ
> there is a warning:
> 
> "If you are running Debian Squeeze, Shorewall will not work in an
> OpenVZ container. This is a Debian OpenVZ issue and not a Shorewall
> issue."
> 
> Proxmox v2.1 runs on Debian Squeeze (6.0).
> 
> I assume this means that running the HOST on Debian Squeeze menas
> that you cannot run Shorewall in a container - but will it still work
> to protect the host or should it not be used at all. I am having
> trouble accessing any containers externally (e.g. a squid container)
> if I install Shorewall on the host (currently this is in a test
> VirtualBox environment so not ideal). I''d like to know whether
this
> is because I''ve not got the setup correct or it just
won''t work!
I suspect that you have a Shorewall issue. The problem referred to in
the article only affects Shorewall running in a container.
> 
> Secondly - does this apply to the newer kernel (I''m running
> 2.6.32-14-pve) and/or newest Debian (6.0.6).
> 
We''ve had reports that the problem has been corrected in current Debian
Squeeze OpenVZ kernels.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev