Hello, I have recently discovered vmware server and installed it on a centos server. Having already setup xen & shorewall following a very clear howto, I hoped to find an equivalent solution but in fact, I have found very little helpful information. I''d like to install shorewall on the main host (centos), setup networking in a bridged mode so each virtual host gets its own IP and setup shorewall to control everything from the main host. Has anyone some experience about that ? Thanks in advance, -- Mikael Kermorgant ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
I don''t think you can do this, but it''s not a limitation of Shorewall. Each VM is its own machine and installing Shorewall on the host OS only allows Shorewall to affect the host OS. It''s akin to installing Shorewall on some other machine on the network and expecting it to be able to protect a totally separate machine. By way of illustration - I have a box at home with a single NIC and two VMWare VMs running inside it. They are both bridged to the Internet. The NIC on the host box doesn''t even have a routable IP, but the VMs are able to DHCP from my ISP without issue. In fact, I''m pretty sure that the host NIC doesn''t technically need an IP at all, but I had to give it one in order to bring it up. It''s obviously not being used. In short, other than having to be connected so the VMs can pass traffic, the host OS plays no real part in any traffic exchange. If you went NAT for your VMs you may have success as traffic has to pass to and from the host OS for that to work and the host OS would be a gateway. Bridged, though, means that your VMs are directly connected to the network. I know it''s a weird concept and I haven''t ironed out my full understanding of it, but that''s the gist of it. Jon Mikael Kermorgant wrote:> Hello, > > I have recently discovered vmware server and installed it on a centos server. > > Having already setup xen & shorewall following a very clear howto, I > hoped to find an equivalent solution but in fact, I have found very > little helpful information. > > I''d like to install shorewall on the main host (centos), setup > networking in a bridged mode so each virtual host gets its own IP and > setup shorewall to control everything from the main host. > > Has anyone some experience about that ? > > Thanks in advance,-- Key fingerprint: BDE0 DE52 B8C0 0CDF 7653 E5A2 D861 7877 0D3B 813E http://www.jonwatson.ca +1.403.770.2837 "Trying to learn to hack on a DOS or Windows machine or under MacOS is like trying to learn to dance while wearing a body cast" - ESR ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Mon, Mar 05, 2007 at 09:09:52AM -0700, Jon wrote:> In fact, I''m pretty sure that > the host NIC doesn''t technically need an IP at all, but I had to give it > one in order to bring it up.An invalid address will suffice. If you use one of the guaranteed martians (like 0.0.0.0) then the kernel should never use it for anything (barring bugs). ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
ktneely@astroturfgarden.com
2007-Mar-05 18:03 UTC
Re: shorewall & vmware server : possible ?
On Mon, Mar 05, 2007 at 09:09:52AM -0700, Jon wrote:> I don''t think you can do this, but it''s not a limitation of > Shorewall. Each VM is its own machine and installing Shorewall on > the host OS only allows Shorewall to affect the host OS. It''s akin > to installing Shorewall on some other machine on the network and > expecting it to be able to protect a totally separate machine.I have never tried anything like this, and the last time i used VMware, it was v4.5 or so. Anyway, IIRC VMWare sets up a number of virtual interfaces on the host machine for use by the VMs. Could you not define those in Shorewall and then set your firewall rules up the way you want? I admit, the VMWare networking is mostly black magic to me, and I have not used it for a few years, but I would think you could use it, although the setup might differ quite a bit from the default. However, Jon''s post makes a lot of sense, and if VMWare essentially creates a layer 2 bridge, there might not be anything you can do about it. That was probably not very helpful, but it is an interesting idea and could certainly be useful for testing if the OP could get it setup the way he wants to. K -- In Vino Veritas http://astroturfgarden.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
ktneely@astroturfgarden.com wrote:> Could you not define those in Shorewall and then set your firewall rules up the way you want?I''m pretty sure this can be done if you''re NATting. It''s the bridging that''s probably not going to work in this case. J ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jon wrote:> ktneely@astroturfgarden.com wrote: >> Could you not define those in Shorewall and then set your firewall >> rules up the way you want? > > I''m pretty sure this can be done if you''re NATting. It''s the bridging > that''s probably not going to work in this case.As you''ve pointed out, with VMWare bridging the host has no visibility of the VM''s network traffic. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Thank you very much for all these aswers. I''ll try to protect these virtual hosts in another way. Regards, -- Mikael Kermorgant ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On 3/6/07, Mikael Kermorgant <mikael.kermorgant@gmail.com> wrote:> Thank you very much for all these aswers. I''ll try to protect these > virtual hosts in another way.The best way to do it is to setup the VM interface in ''host-only'' mode. This basically forwards all traffic from the VM onto one of the vmnetX interfaces. After that it''s a simple matter of writing the shorewall zone for the vmnet interfaces and appropriate rules. If you try to do NAT, the vmnet-natd daemon does the port-forwarding and natting - it runs as root in the host. All outgoing traffic appears to be from that daemon - so there''s pretty much nothing you can do to control the outgoing traffic. I''ve done both the natted and ''host-only'' setup, and while the ''host-only'' is a little more painful to setup, the level of control provided is incomparable. Hope that helps. Prasanna. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV