I am using Xen-3.0.1, Debian, amd64 with two ethernet interfaces: eth0=LAN, eth1=DMZ. I would like to configure shorewall on dom0 to allow only ssh, and install shorewall on all domUs as needed. Without shorewall everything works fine. I did a standard install of shorewall on dom0 but could not get any traffic through. So I tried the following configuration with equal failure: interfaces: loc xenbr0 detect routeback net xenbr1 detect routeback,norfc1918 policy: $FW all ACCEPT net all DROP info loc all DROP info all all REJECT info rules: ACCEPT loc $FW tcp 22 ACCEPT net $FW tcp 22 ACCEPT loc $FW icmp - - - 5/sec:10 ACCEPT net $FW icmp - - - 5/sec:10 zones: fw firewall loc ipv4 net ipv4 In shorewall.conf I have tried both BRIDGING=Yes and BRIDGING=No. I have read http://www.shorewall.net/Xen.html and http://www.shorewall.net/myfiles.htm but I found these examples hard to follow as they are much more complex than I need. Any clues appreciated. Regards, David Koski david.nospham@kosmosisland.com ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
David Koski wrote:> I am using Xen-3.0.1, Debian, amd64 with two ethernet interfaces: eth0=LAN, > eth1=DMZ. I would like to configure shorewall on dom0 to allow only ssh, and > install shorewall on all domUs as needed. Without shorewall everything works > fine. I did a standard install of shorewall on dom0 but could not get any > traffic through. So I tried the following configuration with equal failure: > > interfaces: > loc xenbr0 detect routeback > net xenbr1 detect routeback,norfc1918 > ... > In shorewall.conf I have tried both BRIDGING=Yes and BRIDGING=No. > > I have read http://www.shorewall.net/Xen.html and > http://www.shorewall.net/myfiles.htm but I found these examples hard to > follow as they are much more complex than I need.David, I''ve just re-read http://www.shorewall.net/Xen.html and i must say don''t understand why you found it hard to follow. If anything, it is more simple than the setup you have described, because it''s only a one-interface system, not two-interface like yours. Here are some thoughts: - There is no such thing as a "standard install of shorewall". You must configure it appropriately for your environment - don''t expect it to work otherwise. - From Xen.html: "Because Xen uses normal Linux bridging, you must enable bridge support in shorewall.conf" - don''t expect it to work when bridging is turned off. - In Xen.html, net is eth0, not xenbr+ - you probably want something similar. - In Xen.html, hosts are specified in bridge:port format - you probably want something similar. - Configuring shorewall on the non-zero domains is probably counter-productive. I would suggest only allowing traffic from loc to domain 0, and then you know that whatever happens to your virtual hosts in your DMZ, your domain 0 is not likely to be at fault. I think simply working through Xen.html until you can follow it easily is probably the way to your solution, and important for you to do to ensure you understand your system sufficiently to fix it if something goes wrong. -- Paul <http://paulgear.webhop.net> -- Did you know? Email viruses spread using addresses they find on the host computer. You can help to reduce the spread of these viruses by using Bcc: instead of To: on mass mailings, or using mailing list software such as GNU Mailman (http://www.list.org/) instead.
Hi David, even though it''s only a guess - the bridging option of Shorewall has no effect on the bridges used by xen. It was very usefull for me to try my setup withou shorewall at all and after it''s proven functionality I installed shorewall. Maybe more details will be usefull (brctl show, how did you create your bridges, do they work at all?) cheers, Mat -----Ursprungliche Nachricht----- Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net]Im Auftrag von David Koski Gesendet: Montag, 6. Marz 2006 17:55 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] shorewall with xen I am using Xen-3.0.1, Debian, amd64 with two ethernet interfaces: eth0=LAN, eth1=DMZ. I would like to configure shorewall on dom0 to allow only ssh, and install shorewall on all domUs as needed. Without shorewall everything works fine. I did a standard install of shorewall on dom0 but could not get any traffic through. So I tried the following configuration with equal failure: interfaces: loc xenbr0 detect routeback net xenbr1 detect routeback,norfc1918 policy: $FW all ACCEPT net all DROP info loc all DROP info all all REJECT info rules: ACCEPT loc $FW tcp 22 ACCEPT net $FW tcp 22 ACCEPT loc $FW icmp - - - 5/sec:10 ACCEPT net $FW icmp - - - 5/sec:10 zones: fw firewall loc ipv4 net ipv4 In shorewall.conf I have tried both BRIDGING=Yes and BRIDGING=No. I have read http://www.shorewall.net/Xen.html and http://www.shorewall.net/myfiles.htm but I found these examples hard to follow as they are much more complex than I need. Any clues appreciated. Regards, David Koski david.nospham@kosmosisland.com ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Monday 06 March 2006 08:54, David Koski wrote:> I am using Xen-3.0.1, Debian, amd64 with two ethernet interfaces: eth0=LAN, > eth1=DMZ. I would like to configure shorewall on dom0 to allow only ssh, > and install shorewall on all domUs as needed. Without shorewall everything > works fine. I did a standard install of shorewall on dom0 but could not get > any traffic through. So I tried the following configuration with equal > failure: > > interfaces: > loc xenbr0 detect routeback > net xenbr1 detect routeback,norfc1918You are confusing yourself badly by using the names ''loc'' and ''net'' here. You seem to be trying to shoehorn the two-interface example into a Xen dom0 -- that''s a poor strategy. What you want is: net eth0 detect norfc1918 foo xenbr0 - routeback bar xenbr1 - routeback> > policy: > $FW all ACCEPT > net all DROP info > loc all DROP info > all all REJECT infoHere you want: fw net ACCEPT net all DROP info all all REJECT info> > rules: > ACCEPT loc $FW tcp 22 > ACCEPT net $FW tcp 22 > ACCEPT loc $FW icmp - - - 5/sec:10 > ACCEPT net $FW icmp - - - 5/sec:10 > > zones: > fw firewall > loc ipv4 > net ipv4Again, don''t try to think of this as a two-interface firewall. It''s more like a one-interface firewall. fw firewall net ipv4 foo ipv4 bar ipv4 For rules I would start with those from the one-interface sample.> > In shorewall.conf I have tried both BRIDGING=Yes and BRIDGING=No. >As Mathias has mentioned, it''s irrelevant in this configuration but BRIDGING=No provides a sleeker ruleset.> I have read http://www.shorewall.net/Xen.html and > http://www.shorewall.net/myfiles.htm but I found these examples hard to > follow as they are much more complex than I need.http://www.shorewall.net/XenMyWay.html is more what you should be looking at.> > Any clues appreciated. >If you have problems with the above, please follow the problem reporting instructions at http://www.shorewall.net/support.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>On Monday 06 March 2006 08:54, David Koski wrote: > > >>I am using Xen-3.0.1, Debian, amd64 with two ethernet interfaces: eth0=LAN, >>eth1=DMZ. I would like to configure shorewall on dom0 to allow only ssh, >>and install shorewall on all domUs as needed. Without shorewall everything >>works fine. I did a standard install of shorewall on dom0 but could not get >>any traffic through. So I tried the following configuration with equal >>failure: >> >>interfaces: >>loc xenbr0 detect routeback >>net xenbr1 detect routeback,norfc1918 >> >> > >You are confusing yourself badly by using the names ''loc'' and ''net'' here. You >seem to be trying to shoehorn the two-interface example into a Xen dom0 -- >that''s a poor strategy. > >What you want is: > >net eth0 detect norfc1918 >foo xenbr0 - routeback >bar xenbr1 - routeback > >My physical interfaces are lan=eth0, internet=eth1. How does this relate? What are the names foo and bar refer to?>>policy: >>$FW all ACCEPT >>net all DROP info >>loc all DROP info >>all all REJECT info >> >> > >Here you want: > >fw net ACCEPT >net all DROP info >all all REJECT info > > > >>rules: >>ACCEPT loc $FW tcp 22 >>ACCEPT net $FW tcp 22 >>ACCEPT loc $FW icmp - - - 5/sec:10 >>ACCEPT net $FW icmp - - - 5/sec:10 >> >>zones: >>fw firewall >>loc ipv4 >>net ipv4 >> >> > >Again, don''t try to think of this as a two-interface firewall. It''s more like >a one-interface firewall. > >fw firewall >net ipv4 >foo ipv4 >bar ipv4 > >For rules I would start with those from the one-interface sample. > >I''ll try with one interface.>>In shorewall.conf I have tried both BRIDGING=Yes and BRIDGING=No. >> >> >> > >As Mathias has mentioned, it''s irrelevant in this configuration but >BRIDGING=No provides a sleeker ruleset. > > > >>I have read http://www.shorewall.net/Xen.html and >>http://www.shorewall.net/myfiles.htm but I found these examples hard to >>follow as they are much more complex than I need. >> >> > >http://www.shorewall.net/XenMyWay.html is more what you should be looking at. > > > >>Any clues appreciated. >> >> >> > >If you have problems with the above, please follow the problem reporting >instructions at http://www.shorewall.net/support.htm. > >-Tom > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Monday 06 March 2006 01:21 pm, Mathias Diehl wrote:> > Hi David, > > even though it''s only a guess - the bridging option of Shorewall has no > effect on the bridges used by xen. > > It was very usefull for me to try my setup withou shorewall at all and after > it''s proven functionality I installed shorewall. > > Maybe more details will be usefull (brctl show, how did you create your > bridges, do they work at all?)Yes, everything worked without a firewall. However, I noticed that the bridges have to come up before shorewall but shorewall wants to come up early. I''m going to have to change the startup script sequence. Thanks, David ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Thank you Tom. I got the firewall to work with the settings below. The only problem I see is that I cannot ssh to a domU from dom0 but I can from the outside. Does this look reasonable? On Monday 06 March 2006 01:34 pm, Tom Eastep wrote: <snip>> What you want is: > > net eth0 detect norfc1918 > foo xenbr0 - routeback > bar xenbr1 - routebackI did this: loc eth0 detect net eth1 detect xbr0 xenbr0 - routeback xbr1 xenbr1 - routeback <snip>> Here you want: > > fw net ACCEPT > net all DROP info > all all REJECT infoI did this (I am running ULOG): $FW loc ACCEPT loc all DROP $LOG net all DROP $LOG all all REJECT $LOG <snip>> Again, don''t try to think of this as a two-interface firewall. It''s more > like a one-interface firewall. > > fw firewall > net ipv4 > foo ipv4 > bar ipv4fw firewall loc ipv4 net ipv4 xbr0 ipv4 xbr1 ipv4> For rules I would start with those from the one-interface sample. > > > In shorewall.conf I have tried both BRIDGING=Yes and BRIDGING=No. > > As Mathias has mentioned, it''s irrelevant in this configuration but > BRIDGING=No provides a sleeker ruleset.Done. <snip> Best Regards, David ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Monday 06 March 2006 16:18, David Koski wrote:> Thank you Tom. I got the firewall to work with the settings below. The only > problem I see is that I cannot ssh to a domU from dom0 but I can from the > outside. Does this look reasonable?David -- you need to: a) Look at your Logs. b) Study Shorewall FAQ 17 c) Determine why the traffic is getting blocked and adjust your rules and/or policies accordingly. d) If you really get stuck then submit a *complete* problem report as described at http://www.shorewall.net/support.htm. This isn''t brain surgery and we can''t hold your hand through every little issue, especially when you post minimal and incomplete information. My guess would be that you haven''t enabled SSH loc->fw but that''s only a guess. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Monday 06 March 2006 11:08, Paul Gear wrote:> David Koski wrote:> I''ve just re-read http://www.shorewall.net/Xen.html and i must say don''t > understand why you found it hard to follow. If anything, it is more > simple than the setup you have described, because it''s only a > one-interface system, not two-interface like yours. > > Here are some thoughts: >David and Paul, http://www.shorewall.net/Xen.html and http://www.shorewall.net/XenMyWay.html show how varied Dom0 Shorewall configurations can be. Please don''t try to apply cookie-cutter principles to these configurations as we do in the Sample Configurations and the QuickStart Guides -- the breadth of possible Xen Dom0 configurations is too rich and varied to permit that type of generalization. With Xen Dom0, Shorewall can help you configure your firewall but you have to understand what you are doing -- I can''t give you a "put tab A into slot B" formula for success. At this point, I can only show you a couple of ideas that I''ve tried and tested -- there is no simple single answer. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Monday 06 March 2006 11:08 am, Paul Gear wrote:> David Koski wrote: > > I am using Xen-3.0.1, Debian, amd64 with two ethernet interfaces: > > eth0=LAN, eth1=DMZ. I would like to configure shorewall on dom0 to allow > > only ssh, and install shorewall on all domUs as needed. Without shorewall > > everything works fine. I did a standard install of shorewall on dom0 but > > could not get any traffic through. So I tried the following configuration > > with equal failure: > > > > interfaces: > > loc xenbr0 detect routeback > > net xenbr1 detect routeback,norfc1918 > > ... > > In shorewall.conf I have tried both BRIDGING=Yes and BRIDGING=No. > > > > I have read http://www.shorewall.net/Xen.html and > > http://www.shorewall.net/myfiles.htm but I found these examples hard to > > follow as they are much more complex than I need. > > David, > > I''ve just re-read http://www.shorewall.net/Xen.html and i must say don''t > understand why you found it hard to follow. If anything, it is more > simple than the setup you have described, because it''s only a > one-interface system, not two-interface like yours.I found it confusing because there was little to explain how it worked and I tried to apply it to my situation without success. The fact that I have two interfaces means I have to put both eth0 and eth1 into my configuration. That hardly makes it more complex. What I finally got working with Tom''s help was much more simple. For example I have no need to muck arround with a hosts file. Did you actually try it?> Here are some thoughts: > > - There is no such thing as a "standard install of shorewall". You must > configure it appropriately for your environment - don''t expect it to > work otherwise.Of course. Although I am no guru, I have installed shorewall many times. But not for xen and not in a bridging application.> - From Xen.html: "Because Xen uses normal Linux bridging, you must > enable bridge support in shorewall.conf" - don''t expect it to work when > bridging is turned off.For the record, I turned bridging off on the advice of Tom and it still works. But you are right. I didn''t expect it to.> - In Xen.html, net is eth0, not xenbr+ - you probably want something > similar. > > - In Xen.html, hosts are specified in bridge:port format - you probably > want something similar.I have tried many things. The configuration I posted is by no means the only one I tried.> - Configuring shorewall on the non-zero domains is probably > counter-productive. I would suggest only allowing traffic from loc to > domain 0, and then you know that whatever happens to your virtual hosts > in your DMZ, your domain 0 is not likely to be at fault.The server has two interfaces, one for loc and one for dmz. It makes the most sense to me to make both interfaces available to both dom0 and all domUs. That is what I did and it actulally turned out to be quite simple. Furthermore, the domU shorewall configurations seem to work just like a "normal" non-bridging, non-virtual environment like I am used to.> I think simply working through Xen.html until you can follow it easily > is probably the way to your solution, and important for you to do to > ensure you understand your system sufficiently to fix it if something > goes wrong.That method did not work for me. For the record and for Google, here is my configuration that works: interfaces: loc eth0 detect net eth1 detect xbr0 xenbr0 - routeback xbr1 xenbr1 - routeback zones: fw firewall loc ipv4 net ipv4 xbr0 ipv4 xbr1 ipv4 rules: ACCEPT net:64.175.19.6 fw tcp 22 ACCEPT loc fw tcp 22 ACCEPT all all icmp - - - 5/sec:10 policy: $FW all ACCEPT loc all DROP $LOG net all DROP $LOG all all REJECT $LOG Other than interfaces xbr0 and xbr1, it looks quite fimiliar. Note that there is no vif* or peth* in this configuration. Now isn''t that simple? David ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep wrote:> ... > http://www.shorewall.net/Xen.html and http://www.shorewall.net/XenMyWay.html > show how varied Dom0 Shorewall configurations can be. Please don''t try to > apply cookie-cutter principles to these configurations as we do in the Sample > Configurations and the QuickStart Guides -- the breadth of possible Xen Dom0 > configurations is too rich and varied to permit that type of generalization. > > With Xen Dom0, Shorewall can help you configure your firewall but you have to > understand what you are doing -- I can''t give you a "put tab A into slot B" > formula for success. At this point, I can only show you a couple of ideas > that I''ve tried and tested -- there is no simple single answer.One question: why doesn''t David''s configuration require bridging? If Xen uses normal Linux bridging, shouldn''t it be required in every configuration where you want to communicate with any Xen domain other than 0? Paul ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 07 March 2006 17:12, Paul Gear wrote:> Tom Eastep wrote: > > ... > > http://www.shorewall.net/Xen.html and > > http://www.shorewall.net/XenMyWay.html show how varied Dom0 Shorewall > > configurations can be. Please don''t try to apply cookie-cutter principles > > to these configurations as we do in the Sample Configurations and the > > QuickStart Guides -- the breadth of possible Xen Dom0 configurations is > > too rich and varied to permit that type of generalization. > > > > With Xen Dom0, Shorewall can help you configure your firewall but you > > have to understand what you are doing -- I can''t give you a "put tab A > > into slot B" formula for success. At this point, I can only show you a > > couple of ideas that I''ve tried and tested -- there is no simple single > > answer. > > One question: why doesn''t David''s configuration require bridging? If > Xen uses normal Linux bridging, shouldn''t it be required in every > configuration where you want to communicate with any Xen domain other > than 0? >The BRIDGING=Yes option in shorewall.conf enables the ability to filter traffic by bridge port. In David''s case, he simply wants to allow all traffic through his two bridges. He does that by: a) Defining "all hosts accessible through bridge X" as a zone (for each X). b) Using the fact that Shorewall allows intra-zone traffic by default. It is very much like the difference between http://www.shorewall.net/bridge.html and http://www.shorewall.net/SimpleBridge.html. HTH, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key