This is not my first setup of Shorewall, but first involving XEN Trying to implement FW at routed Dom0. I did not find similar problem in the FAQ or mailing list, but if somebody knows similar thread let me know. My setup is following ISP--non routed--(eth0)x.x.x.173 FW--LAN(eth1)10.10.0.2 ----DMZ LAN (eth2)x.x.x.164 ----DMZ Xen DomU (vif1.0) x.x.x.165 The problem is that even I drop all connections on DMZ I can still connect to DomU machine Dump attached Os is CentOS 5.1 xen 3.0.3 How to troubleshoot further? Thank you, P.S. x.x.x replaces public address and it is the same. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hristo Benev wrote:> This is not my first setup of Shorewall, but first involving XEN > > Trying to implement FW at routed Dom0. > > I did not find similar problem in the FAQ or mailing list, but if somebody knows similar thread let me know. > > My setup is following > > ISP--non routed--(eth0)x.x.x.173 FW--LAN(eth1)10.10.0.2 > ----DMZ LAN (eth2)x.x.x.164 > ----DMZ Xen DomU (vif1.0) x.x.x.165 > > The problem is that even I drop all connections on DMZ I can still connect to DomU machine > > Dump attached > > Os is CentOS 5.1 > > xen 3.0.3 > > How to troubleshoot further? >Start by telling us what you are trying to accomplish with this setup. From looking at the dump, I have no clue. You have absurd features like a bridge (virbr0) with an IP address (192.168.122.1) but no ports. And when you say ''I can still connect to the DomU machine'', where can you still connect from? Don''t you think that might be important? Because if you can still connect from the Lan to the DomU system, both are in the same zone. And intra-zone connections are accepted by default. And you have no dmz->dmz rules or policies. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>-------- Оригинално писмо -------->От: Tom Eastep <teastep@shorewall.net> >Относно: Re: [Shorewall-users] Shorewall and xen >До: Shorewall Users <shorewall-users@lists.sourceforge.net> >Изпратено на: Понеделник, 2008, Март 24 04:16:58 EET >---------------------------------- > >Hristo Benev wrote: >> This is not my first setup of Shorewall, but first involving XEN >> >> Trying to implement FW at routed Dom0. >> >> I did not find similar problem in the FAQ or mailing list, but if somebody knows similar thread let me know. >> >> My setup is following >> >> ISP--non routed--(eth0)x.x.x.173 FW--LAN(eth1)10.10.0.2 >> ----DMZ LAN (eth2)x.x.x.164 >> ----DMZ Xen DomU (vif1.0) x.x.x.165 >> >> The problem is that even I drop all connections on DMZ I can still connect to DomU machine >> >> Dump attached >> >> Os is CentOS 5.1 >> >> xen 3.0.3 >> >> How to troubleshoot further? >> > >Start by telling us what you are trying to accomplish with this setup. > From looking at the dump, I have no clue. You have absurd features like >a bridge (virbr0) with an IP address (192.168.122.1) but no ports. > >And when you say 'I can still connect to the DomU machine', where can >you still connect from? Don't you think that might be important? > >Because if you can still connect from the Lan to the DomU system, both >are in the same zone. And intra-zone connections are accepted by >default. And you have no dmz->dmz rules or policies. > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > Sorry I was not really clear. I'm little bit confused by Xen Networking, so I may have some interfaces that are not used. Basically I'm trying to limit the access from net to DMZ to certain ports only. Initially my DomU machine (lets call it Mail) with IP x.x.x.165 was bridged and I have direct access to it from internet. I modified config file to routing and tried to follow your guide, maybe I did something wrong because I still had access from internet to "Mail" even I have "net to all drop" in policy. How I can troubleshoot it? Thank you ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Hristo Benev wrote:> > > > > Sorry I was not really clear. > > I''m little bit confused by Xen Networking, so I may have some interfaces that are not used. > > Basically I''m trying to limit the access from net to DMZ to certain ports only.> Initially my DomU machine (lets call it Mail) with IP x.x.x.165 > was bridged and I have direct access to it from internet. > I modified config file to routing and tried to follow your guide,> maybe I did something wrong because I still had access from internet to "Mail"> even I have "net to all drop" in policy. I don''t see how, unless your eth0 and eth2 are connected to the same switch/hub.> > How I can troubleshoot it? >Be sure that you really have a problem. Start with a fresh client on an internet system and connect to Mail. Be sure that the connection shows up in the output of "shorewall show connections". Now "shorewall show net2dmz". Do you see any traffic? If not, then traffic from the internet is bypassing eth0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hristo, how is your Xen + Shorewall configuration coming along? Werner On Mon, 2008-03-24 at 18:49 +0200, Hristo Benev wrote:> > > > >-------- Оригинално писмо -------- > >От: Tom Eastep <teastep@shorewall.net> > >Относно: Re: [Shorewall-users] Shorewall and xen > >До: Shorewall Users <shorewall-users@lists.sourceforge.net> > >Изпратено на: Понеделник, 2008, Март 24 04:16:58 EET > >---------------------------------- > > > >Hristo Benev wrote: > >> This is not my first setup of Shorewall, but first involving XEN > >> > >> Trying to implement FW at routed Dom0. > >> > >> I did not find similar problem in the FAQ or mailing list, but if somebody knows similar thread let me know. > >> > >> My setup is following > >> > >> ISP--non routed--(eth0)x.x.x.173 FW--LAN(eth1)10.10.0.2 > >> ----DMZ LAN (eth2)x.x.x.164 > >> ----DMZ Xen DomU (vif1.0) x.x.x.165 > >> > >> The problem is that even I drop all connections on DMZ I can still connect to DomU machine > >> > >> Dump attached > >> > >> Os is CentOS 5.1 > >> > >> xen 3.0.3 > >> > >> How to troubleshoot further? > >> > > > >Start by telling us what you are trying to accomplish with this setup. > > From looking at the dump, I have no clue. You have absurd features like > >a bridge (virbr0) with an IP address (192.168.122.1) but no ports. > > > >And when you say 'I can still connect to the DomU machine', where can > >you still connect from? Don't you think that might be important? > > > >Because if you can still connect from the Lan to the DomU system, both > >are in the same zone. And intra-zone connections are accepted by > >default. And you have no dmz->dmz rules or policies. > > > >-Tom > >-- > >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > >Shoreline, \ http://shorewall.net > >Washington USA \ teastep@shorewall.net > >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > Sorry I was not really clear. > > I'm little bit confused by Xen Networking, so I may have some interfaces that are not used. > > Basically I'm trying to limit the access from net to DMZ to certain ports only. Initially my DomU machine (lets call it Mail) with IP x.x.x.165 was bridged and I have direct access to it from internet. I modified config file to routing and tried to follow your guide, maybe I did something wrong because I still had access from internet to "Mail" even I have "net to all drop" in policy. > > How I can troubleshoot it? > > Thank you > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users