Hi Alex,
testing your hint''s brought me a bit closer - but still not to the end
:-(
btw, Kamelle :-)
Following your config works fine as long as dom0 is not involved. The
difference to your config is, that you kept one physical eth in dom0.
According to my hardware (both eth0/eth1 are on the same bus? interupt?
whatever) I have to hide both physical devices so that dom0 has no (!)
ethernet at all.
If I only arrange networking for my domU''s everything is fine. I can
reach
my firewall from outside (eth) and connect between the domU''s.
But as soon as I bring up a dummy in dom0 and assing this interface to one
of my bridges I can''t reach it. Doing this via the xen network script
makes
even communication between my domU''s impossible.
Well... I''ll check if somethings left in my Pittermännsche and try
again
tomorrow.
cheers,
Mat
-----Ursprüngliche Nachricht-----
Von: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net]Im Auftrag von
Alexander Wilms
Gesendet: Montag, 27. Februar 2006 20:43
An: Mathias Diehl
Cc: shorewall-users@lists.sourceforge.net
Betreff: Re: AW: AW: [Shorewall-users] xen related question
Mathias Diehl schrieb:
>
> Hi Alex,
>
> thanx a lot - I think that''ll help... (it''s really
exactly what I
> want to do). I just need to adjust your scripts to debian but that
> shouldn''t be a prob.
>
> I think my mayor problem was caused by some missunderstandings by
> setting up the interface and adding it to the bridge. (I created
> dummy interfaces with an IP and linked them to a bridge - that
> seems to cause routing problems).
Sure, you shouldn''t add IP''s to a bridge port, add id to the
bridge
instead. See ifcfg-br0
> If I get your config right naming eth0 and eth1 in your dom0 is
> just according to the usual convention - I could also name them as
> I like?
I don''t really understand your question. But:
There is only 1 Nic in my Dom0! It''s the only Nic that is not hidden
by the pci_dom0_hide feature.
And it get''s attached to br0 as bridgeport together with vif1.0 from
firewall. IP is then added to br0 by ifcg-br0.
br1 just bridges vif1.1 and vif 2.0 and has no IP at all. So it is a
kind of switch between firewall and the WWW server in the DMZ.
"brctl show" on my dom0:
bridge name bridge id STP enabled interfaces
br1 8000.feffffffffff no vif1.1
vif2.0
br0 8000.00e07dcf60f6 no eth0
vif1.0
3 Nics are delegated into the firewall domU.
Firewall DomU interfaces:
eth0 is a fake interface, which is the opposite part of vif1.0
eth1 also fake, opposite of vif1.1
eth2 (pci nic), connected to my neigbors LAN
eth3 (pci nic), connected to my wireless network
eth4 (pci nic), connected to the DSL modem and is used as link for the
PPPoE Uplink dsl0/ppp0
>
> I''ll give it a try by tomorrow and let you know.
>
> Thanx very much for the moment...
>
> cheers,
>
> Mat
>
You''re welcome and Kölle alaaf!
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd_________________________________________
______
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642