Hi *, I have a xen server working in network-bridge mode Shorewall works fine, but i cannot intercept packets from vifs to vifs. es: Shorewall:FORWARD:REJECT:IN=xenbr0 OUT=xenbr0 PHYSIN=vif9.0 PHYSOUT=vif4.0 in the hosts file I''m using: dmz xenbr0:vif+ "ACCEPT dmz dmz" in policy doesn''t work, and I have to use "ACCEPT all all" at the moment. Any hints? -- Davide Corio davide.corio@redomino.com Redomino S.r.l. C.so Monte Grappa 90/b - 10145 Torino - Italy Tel: +39 011 19502871 - Fax: +39 011 19791122 - http://www.redomino.com/ ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 28 March 2006 06:21, Davide Corio wrote:> Hi *, > > I have a xen server working in network-bridge mode > > Shorewall works fine, but i cannot intercept packets from vifs to vifs. > > es: > Shorewall:FORWARD:REJECT:IN=xenbr0 OUT=xenbr0 PHYSIN=vif9.0 > PHYSOUT=vif4.0 > > in the hosts file I''m using: > dmz xenbr0:vif+ > > "ACCEPT dmz dmz" in policy doesn''t work, and I have to use "ACCEPT all > all" at the moment. > > Any hints?Which version of Shorewall are you running? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Il giorno mar, 28/03/2006 alle 07.19 -0800, Tom Eastep ha scritto:> Which version of Shorewall are you running?the version included in Debian Sarge = 3.0.4-1 -- Davide Corio davide.corio@redomino.com Redomino S.r.l. C.so Monte Grappa 90/b - 10145 Torino - Italy Tel: +39 011 19502871 - Fax: +39 011 19791122 - http://www.redomino.com/ ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Quoting Davide Corio <davide.corio@redomino.com>:> Il giorno mar, 28/03/2006 alle 07.19 -0800, Tom Eastep ha scritto: >> Which version of Shorewall are you running? > > the version included in Debian Sarge = 3.0.4-1 >The version in Sarge is 2.2.3-2. Perhaps you mean the version in Etch? -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 28 March 2006 07:22, Davide Corio wrote:> Il giorno mar, 28/03/2006 alle 07.19 -0800, Tom Eastep ha scritto: > > Which version of Shorewall are you running? > > the version included in Debian Sarge = 3.0.4-1Then I need to see the output of "shorewall dump". Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Il giorno mar, 28/03/2006 alle 10.24 -0500, Roberto C. Sanchez ha scritto:> The version in Sarge is 2.2.3-2. Perhaps you mean the version in Etch? > > -RobertoYes, sorry :) -- Davide Corio davide.corio@redomino.com Redomino S.r.l. C.so Monte Grappa 90/b - 10145 Torino - Italy Tel: +39 011 19502871 - Fax: +39 011 19791122 - http://www.redomino.com/ ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Il giorno mar, 28/03/2006 alle 07.26 -0800, Tom Eastep ha scritto:> On Tuesday 28 March 2006 07:22, Davide Corio wrote: > > Il giorno mar, 28/03/2006 alle 07.19 -0800, Tom Eastep ha scritto: > > > Which version of Shorewall are you running? > > > > the version included in Debian Sarge = 3.0.4-1 > > Then I need to see the output of "shorewall dump".Et voilĂ I followed your howto: http://www.shorewall.net/Xen.html (thanks a lot) -- Davide Corio davide.corio@redomino.com Redomino S.r.l. C.so Monte Grappa 90/b - 10145 Torino - Italy Tel: +39 011 19502871 - Fax: +39 011 19791122 - http://www.redomino.com/
On Tuesday 28 March 2006 07:26, Tom Eastep wrote:> On Tuesday 28 March 2006 07:22, Davide Corio wrote: > > Il giorno mar, 28/03/2006 alle 07.19 -0800, Tom Eastep ha scritto: > > > Which version of Shorewall are you running? > > > > the version included in Debian Sarge = 3.0.4-1 > > Then I need to see the output of "shorewall dump".You''ll probably need to compress it or the list server won''t let it through -- or you can send it directly to me (as an attachment, not in-line). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Il giorno mar, 28/03/2006 alle 07.43 -0800, Tom Eastep ha scritto:> You''ll probably need to compress it or the list server won''t let it through -- > or you can send it directly to me (as an attachment, not in-line).I think the file is arrived also to the ml, it is only 35kb -- Davide Corio davide.corio@redomino.com Redomino S.r.l. C.so Monte Grappa 90/b - 10145 Torino - Italy Tel: +39 011 19502871 - Fax: +39 011 19791122 - http://www.redomino.com/
Il giorno mar, 28/03/2006 alle 17.58 +0200, Davide Corio ha scritto:> Il giorno mar, 28/03/2006 alle 07.43 -0800, Tom Eastep ha scritto: > > You''ll probably need to compress it or the list server won''t let it through -- > > or you can send it directly to me (as an attachment, not in-line). > > I think the file is arrived also to the ml, it is only 35kberr.... I am tired :( -- Davide Corio davide.corio@redomino.com Redomino S.r.l. C.so Monte Grappa 90/b - 10145 Torino - Italy Tel: +39 011 19502871 - Fax: +39 011 19791122 - http://www.redomino.com/ ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 28 March 2006 07:58, Davide Corio wrote:> Il giorno mar, 28/03/2006 alle 07.43 -0800, Tom Eastep ha scritto: > > You''ll probably need to compress it or the list server won''t let it > > through -- or you can send it directly to me (as an attachment, not > > in-line). > > I think the file is arrived also to the ml, it is only 35kbTry adding the ''routeback'' option to your entry for dmz in /etc/shorewall/hosts. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Il giorno mar, 28/03/2006 alle 08.16 -0800, Tom Eastep ha scritto:> Try adding the ''routeback'' option to your entry for dmz > in /etc/shorewall/hosts.nothing changed :( -- Davide Corio davide.corio@redomino.com Redomino S.r.l. C.so Monte Grappa 90/b - 10145 Torino - Italy Tel: +39 011 19502871 - Fax: +39 011 19791122 - http://www.redomino.com/ ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 28 March 2006 08:28, Davide Corio wrote:> Il giorno mar, 28/03/2006 alle 08.16 -0800, Tom Eastep ha scritto: > > Try adding the ''routeback'' option to your entry for dmz > > in /etc/shorewall/hosts. > > nothing changed :(I was afraid of that -- I will need to provide you with a fix but I won''t be able to work on it until after my workday is done (and it''s just starting). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tuesday 28 March 2006 08:31, Tom Eastep wrote:> On Tuesday 28 March 2006 08:28, Davide Corio wrote: > > Il giorno mar, 28/03/2006 alle 08.16 -0800, Tom Eastep ha scritto: > > > Try adding the ''routeback'' option to your entry for dmz > > > in /etc/shorewall/hosts. > > > > nothing changed :( > > I was afraid of that -- I will need to provide you with a fix but I won''t > be able to work on it until after my workday is done (and it''s just > starting). >There''s a fix available in the Shorewall 3.0.5 Errata sub-directory (see http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/known_problems.txt) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Il giorno mar, 28/03/2006 alle 12.58 -0800, Tom Eastep ha scritto:> There''s a fix available in the Shorewall 3.0.5 Errata sub-directory (see > http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/known_problems.txt)Tnx!! -- Davide Corio davide.corio@redomino.com Redomino S.r.l. C.so Monte Grappa 90/b - 10145 Torino - Italy Tel: +39 011 19502871 - Fax: +39 011 19791122 - http://www.redomino.com/ ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 28 March 2006 13:10, Davide Corio wrote:> Il giorno mar, 28/03/2006 alle 12.58 -0800, Tom Eastep ha scritto: > > There''s a fix available in the Shorewall 3.0.5 Errata sub-directory (see > > http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/known_problems > >.txt) > > Tnx!!You''re welcome -- it''s also fixed in 3.0.6 which is just being released. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key