Hi, I''m new to Linux/Shorewall so forgive me if this is an obvious question. I have successfully installed shorewall on CentOS 5 and have it working well. I have a standard setup that includes the following zones: net - internet loc - local lan dmz - for web servers I currently have 1 ip on the internet interface. I would like to add several more so I can DNAT incoming requests to various web servers in the dmz. I am also using masq to allow the loc and dmz access the internet. I searched the documentation and cannot find a specific example of this. I tried adding additional config files in the /etc/sysconfig/network folder for eth0. I have ifcfg-eth0 and ifcfg-eth0:0. The differences between the 2 files are there ip addresses. Then in masq file I had something like eth0:0 eth2. I rebooted to make sure all was changed and could not access the internet on eth2. Shorewall did not complain about the config. Thanks, Pete ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Keith Mitchell
2008-Feb-11 19:54 UTC
Xen and the Art of Shorewall... and Bandwidth Arbitrator
A little off topic here... I''m spinning a "what if" to see if
this is
possible and / or if anyone can offer suggestions regarding best
practices on setup.
I am attempting to setup a Multi-ISP (2 different upstream ISP''s)
Shorewall in tandem with Bandwidth Arbitrator.
(http://www.bandwidtharbitrator.com
<http://www.bandwidtharbitrator.com/> ).
I would like to make this a single-box solution, so would love to
leverage Xen to host the VM for Bandwidth Arbitrator, as BA requires a
patched 2.6.5 kernel.
My configuration would look something like this:
ISP1 ISP2
| |
-------------
|
DOM0------DOMU
|
DOM0----------
|
Internal Net
As the 2.6.5 DOMU in my config MUST be fully virtualized, I cannot use
pciback.hide to reserve a NIC in DOMU to be the gateway for my internal
network, so my idea was to arrange NIC''s / virtual NIC''s
thusly:
ETH1 ETH2
| |
-------------
|
Dummy0-----XenBR0
|----------bridged inside DOMU (BA works via
bridging only)
ETH0-------XenBR1
|
Internal Net
Is this theoretically / practically possible using Shorewall and Xen, or
am I just creating waaaaay to much work for myself?
Keith Mitchell
CTO
Productivity Associates, Inc.
keithm@gotopai.com
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Pete wrote:> Hi, > > > > Iām new to Linux/Shorewall so forgive me if this is an obvious question. > I have successfully installed shorewall on CentOS 5 and have it working > well. > > > > I have a standard setup that includes the following zones: > > net ā internet > > loc ā local lan > > dmz ā for web servers > > > > I currently have 1 ip on the internet interface. I would like to add > several more so I can DNAT incoming requests to various web servers in > the dmz. I am also using masq to allow the loc and dmz access the internet. > > > > I searched the documentation and cannot find a specific example of this. > I tried adding additional config files in the /etc/sysconfig/network > folder for eth0. I have ifcfg-eth0 and ifcfg-eth0:0. The differences > between the 2 files are there ip addresses. Then in masq file I had > something like eth0:0 eth2. I rebooted to make sure all was changed and > could not access the internet on eth2. Shorewall did not complain about > the config.http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep
2008-Feb-11 20:40 UTC
Re: Xen and the Art of Shorewall... and Bandwidth Arbitrator
Keith Mitchell wrote:> > Is this theoretically / practically possible using Shorewall and Xen, or > am I just creating waaaaay to much work for myself?I think you''ll find it simpler to run Shorewall in a domU that shares a private bridge with the arbitrator. I really discourage the use of Shorewall in a bridged Dom0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Keith Mitchell
2008-Feb-11 21:43 UTC
Re: Xen and the Art of Shorewall... and Bandwidth Arbitrator
From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Monday, February 11, 2008 12:41 PM To: Shorewall Users Subject: Re: [Shorewall-users] Xen and the Art of Shorewall... and Bandwidth Arbitrator Keith Mitchell wrote:> > Is this theoretically / practically possible using Shorewall and Xen,or> am I just creating waaaaay to much work for myself?I think you''ll find it simpler to run Shorewall in a domU that shares a private bridge with the arbitrator. I really discourage the use of Shorewall in a bridged Dom0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----Original Message----- Ahh ok, so something like: DOM0------DOM1 | ETH1 ETH2 | | -DOM1---DOM2 | -DOM1----- | -ETH0 | Internal Net ? Keith Mitchell CTO Productivity Associates, Inc. keithm@gotopai.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep
2008-Feb-11 21:57 UTC
Re: Xen and the Art of Shorewall... and Bandwidth Arbitrator
Keith Mitchell wrote:> Ahh ok, so something like: > > DOM0------DOM1 > | > ETH1 ETH2 > | | > -DOM1---DOM2 > | > -DOM1----- > | > -ETH0 > | > Internal Netdom1:eth1 dom1:eth2 (both delegated from dom0 |_______| | dom1(Firewall) | dom1:eth0 | xenbr1 | dom2:eth1 | dom2 (Arbitrator) | dom2:eth0 | xenbr0 - eth0 - Dom0 (does nothing but host | the domUs). peth0 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Keith Mitchell
2008-Feb-11 21:58 UTC
Re: Xen and the Art of Shorewall... and Bandwidth Arbitrator
Thank you very much! Keith Mitchell CTO keithm@gotopai.com -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Monday, February 11, 2008 1:58 PM To: Shorewall Users Subject: Re: [Shorewall-users] Xen and the Art of Shorewall... and Bandwidth Arbitrator Keith Mitchell wrote:> Ahh ok, so something like: > > DOM0------DOM1 > | > ETH1 ETH2 > | | > -DOM1---DOM2 > | > -DOM1----- > | > -ETH0 > | > Internal Netdom1:eth1 dom1:eth2 (both delegated from dom0 |_______| | dom1(Firewall) | dom1:eth0 | xenbr1 | dom2:eth1 | dom2 (Arbitrator) | dom2:eth0 | xenbr0 - eth0 - Dom0 (does nothing but host | the domUs). peth0 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/