Hello I have recently started using Shorewall to manage my firewall. I''m very impressed so far. Yesterday I installed it on 2 machines which run KVM (kernel virtual machine) virtualization. When a virtual machine starts, a virtual network interface(s) is created for the VM - vnetX. These in turn are connected to a bridge which uses a physical interface (eth1). What I need to do: a) Filter traffic on the management interface - eth0. b) Allow all traffic on the bridge - br0 - which in turn uses physical interface eth1. Each VM will handle traffic by running their own firewall. I''m using Shorewall 4.2.10. I spent ages using the "bport" option but I was getting nowhere. I could not get the traffic inside the VMs to route. So I changed the bridge interface to the same as eth0 - ipv4 - and it now works OK. Here is my setup: Zones fw firewall lan ipv4 kvm ipv4 Interfaces lan eth0 detect dhcp kvm br0 detect dhcp,bridge,routeback Policy fw all ACCEPT lan fw REJECT kvm fw ACCEPT all all DROP Rules ACCEPT lan fw icmp ACCEPT lan fw tcp ssh,https where "lan" is the local area network and "kvm" is the zone for the bridge which handles the VMs and their virtual network interfaces. As you can see, for the management interface I''m allowing icmp traffic for ping and SSH and HTTPS. I must stress that this machine is not connected directly to the internet but lives inside a secure LAN. So why bother running a firewall? Well this is a test for a machine that will be hosted in a data centre and will be connected directly to the internet. Now it''s working but have I simply taken the easy route here when setting this up? Or should I try to get the kvm zone working as "bport"? Has anyone else setup a machine running a bridge for virtual machines? I''ve searched the documentation and this mailing list, but documentation is inconsistent for this setup. Thank you ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
While not your sitituition exactally I wrote an article detailing how to use a firewall with KVM and OpenVZ machines. http://www.montanalinux.org/proxmox-ve-with-shorewall-part2.html If you ignore the OpenVZ parts the way to use shorewall with KVM is there. Hope that helps some. _ /-\ ndrew On Tue, Mar 2, 2010 at 3:52 AM, Bike & Snow <bikeandsnow@googlemail.com> wrote:> Hello > > I have recently started using Shorewall to manage my firewall. I'm > very impressed so far. > > Yesterday I installed it on 2 machines which run KVM (kernel virtual > machine) virtualization. > > When a virtual machine starts, a virtual network interface(s) is > created for the VM - vnetX. These in turn are connected to a bridge > which uses a physical interface (eth1). > > What I need to do: > a) Filter traffic on the management interface - eth0. > b) Allow all traffic on the bridge - br0 - which in turn uses physical > interface eth1. Each VM will handle traffic by running their own > firewall. > > I'm using Shorewall 4.2.10. > > I spent ages using the "bport" option but I was getting nowhere. I > could not get the traffic inside the VMs to route. > So I changed the bridge interface to the same as eth0 - ipv4 - and it > now works OK. > > Here is my setup: > > Zones > fw firewall > lan ipv4 > kvm ipv4 > > Interfaces > lan eth0 detect dhcp > kvm br0 detect dhcp,bridge,routeback > > Policy > fw all ACCEPT > lan fw REJECT > kvm fw ACCEPT > all all DROP > > Rules > ACCEPT lan fw icmp > ACCEPT lan fw tcp ssh,https > > > where "lan" is the local area network and "kvm" is the zone for the > bridge which handles the VMs and their virtual network interfaces. > As you can see, for the management interface I'm allowing icmp traffic > for ping and SSH and HTTPS. > > I must stress that this machine is not connected directly to the > internet but lives inside a secure LAN. > So why bother running a firewall? Well this is a test for a machine > that will be hosted in a data centre and will be connected directly to > the internet. > > Now it's working but have I simply taken the easy route here when > setting this up? > Or should I try to get the kvm zone working as "bport"? > > Has anyone else setup a machine running a bridge for virtual machines? > > I've searched the documentation and this mailing list, but > documentation is inconsistent for this setup. > > Thank you > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Here's my setup. Note - i have mixed virtual machines - ones that attach to the bridge and use real public ip's and ones that use the virbr0 of libvirt ( i assume you're using libvirt, if you're not - you better be :P ), that have private network ip's , i.e. 172.16.0.0/12 cat zones # # Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall world ipv4 net:world bport kvm:world bport vir ipv4 cat interfaces # # Shorewall version 4 - Interfaces File # # For information about entries in this file, type "man shorewall-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS world br0 detect tcpflags,nosmurfs,logmartians,routeback,bridge vir virbr0 detect dhcp,tcpflags,nosmurfs,logmartians,routeback,bridge net br0:eth0 detect kvm br0:vnet+ detect cat policy # # Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK $FW all ACCEPT info vir all ACCEPT info kvm all ACCEPT info net kvm ACCEPT info all all DROP info cat rules # # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # #################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW #SSH(ACCEPT) all $FW ACCEPT all $FW icmp 8 SSH(ACCEPT) all $FW ACCEPT net:83.148.126.68 $FW tcp 10050 FTP(ACCEPT) net:78.128.77.97/24 $FW # DNAT Database access to postgresql and mysql DNAT net:78.83.144.122,77.70.16.150,93.152.141.231 vir:172.17.0.1 tcp 5432,3306 DNAT:Info net kvm:83.148.126.70:64738 tcp 3785 DNAT:Info net kvm:83.148.126.70:64738 udp 3785 DNAT:Info net vir:172.30.166.217:80 tcp 8282 DNAT:Info net vir:172.30.166.217 tcp 8069,8070 ***NOTE**** i have a subnet of real ip's that's 83.148.126.65/28. As you can see i'm doing some redirects from the host to one of the guests here ( the DNAT kvm: ones ), the vir: ones are redirects to machines with internal ip's. cat masq # # Shorewall version 4 - Masq file # # For information about entries in this file, type "man shorewall-masq" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-masq.html # ############################################################################### #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ # GROUP br0 172.16.0.0/12 83.148.126.67 If you have any questions feel free to ask :) ----- Original Message ----- From: "Andrew Niemantsverdriet" <andrewniemants@gmail.com> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Tuesday, March 2, 2010 7:28:05 PM Subject: Re: [Shorewall-users] KVM and bridge advice please While not your sitituition exactally I wrote an article detailing how to use a firewall with KVM and OpenVZ machines. http://www.montanalinux.org/proxmox-ve-with-shorewall-part2.html If you ignore the OpenVZ parts the way to use shorewall with KVM is there. Hope that helps some. _ /-\ ndrew On Tue, Mar 2, 2010 at 3:52 AM, Bike & Snow <bikeandsnow@googlemail.com> wrote:> Hello > > I have recently started using Shorewall to manage my firewall. I'm > very impressed so far. > > Yesterday I installed it on 2 machines which run KVM (kernel virtual > machine) virtualization. > > When a virtual machine starts, a virtual network interface(s) is > created for the VM - vnetX. These in turn are connected to a bridge > which uses a physical interface (eth1). > > What I need to do: > a) Filter traffic on the management interface - eth0. > b) Allow all traffic on the bridge - br0 - which in turn uses physical > interface eth1. Each VM will handle traffic by running their own > firewall. > > I'm using Shorewall 4.2.10. > > I spent ages using the "bport" option but I was getting nowhere. I > could not get the traffic inside the VMs to route. > So I changed the bridge interface to the same as eth0 - ipv4 - and it > now works OK. > > Here is my setup: > > Zones > fw firewall > lan ipv4 > kvm ipv4 > > Interfaces > lan eth0 detect dhcp > kvm br0 detect dhcp,bridge,routeback > > Policy > fw all ACCEPT > lan fw REJECT > kvm fw ACCEPT > all all DROP > > Rules > ACCEPT lan fw icmp > ACCEPT lan fw tcp ssh,https > > > where "lan" is the local area network and "kvm" is the zone for the > bridge which handles the VMs and their virtual network interfaces. > As you can see, for the management interface I'm allowing icmp traffic > for ping and SSH and HTTPS. > > I must stress that this machine is not connected directly to the > internet but lives inside a secure LAN. > So why bother running a firewall? Well this is a test for a machine > that will be hosted in a data centre and will be connected directly to > the internet. > > Now it's working but have I simply taken the easy route here when > setting this up? > Or should I try to get the kvm zone working as "bport"? > > Has anyone else setup a machine running a bridge for virtual machines? > > I've searched the documentation and this mailing list, but > documentation is inconsistent for this setup. > > Thank you > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Here''s my setup. Note - i have mixed virtual machines - ones that attach to the bridge and use real public ip''s and ones that use the virbr0 of libvirt ( i assume you''re using libvirt, if you''re not - you better be ), that have private network ip''s , i.e. 172.16.0.0/12 cat zones # # Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall world ipv4 net:world bport kvm:world bport vir ipv4 cat interfaces # # Shorewall version 4 - Interfaces File # # For information about entries in this file, type "man shorewall-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS world br0 detect tcpflags,nosmurfs,logmartians,routeback,bridge vir virbr0 detect dhcp,tcpflags,nosmurfs,logmartians,routeback,bridge net br0:eth0 detect kvm br0:vnet+ detect cat policy # # Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK $FW all ACCEPT info vir all ACCEPT info kvm all ACCEPT info net kvm ACCEPT info all all DROP info cat rules # # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # #################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW #SSH(ACCEPT) all $FW ACCEPT all $FW icmp 8 SSH(ACCEPT) all $FW ACCEPT net:83.148.126.68 $FW tcp 10050 FTP(ACCEPT) net:78.128.77.97/24 $FW # DNAT Database access to postgresql and mysql DNAT net:78.83.144.122,77.70.16.150,93.152.141.231 vir:172.17.0.1 tcp 5432,3306 DNAT:Info net kvm:83.148.126.70:64738 tcp 3785 DNAT:Info net kvm:83.148.126.70:64738 udp 3785 DNAT:Info net vir:172.30.166.217:80 tcp 8282 DNAT:Info net vir:172.30.166.217 tcp 8069,8070 ***NOTE**** i have a subnet of real ip''s that''s 83.148.126.65/28. As you can see i''m doing some redirects from the host to one of the guests here ( the DNAT kvm: ones ), the vir: ones are redirects to machines with internal ip''s. cat masq # # Shorewall version 4 - Masq file # # For information about entries in this file, type "man shorewall-masq" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-masq.html # ############################################################################### #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ # GROUP br0 172.16.0.0/12 83.148.126.67 If you have any questions feel free to ask ----- Original Message ----- From: "Bike & Snow" <bikeandsnow@googlemail.com> To: shorewall-users@lists.sourceforge.net Sent: Tuesday, March 2, 2010 12:52:33 PM Subject: [Shorewall-users] KVM and bridge advice please Hello I have recently started using Shorewall to manage my firewall. I''m very impressed so far. Yesterday I installed it on 2 machines which run KVM (kernel virtual machine) virtualization. When a virtual machine starts, a virtual network interface(s) is created for the VM - vnetX. These in turn are connected to a bridge which uses a physical interface (eth1). What I need to do: a) Filter traffic on the management interface - eth0. b) Allow all traffic on the bridge - br0 - which in turn uses physical interface eth1. Each VM will handle traffic by running their own firewall. I''m using Shorewall 4.2.10. I spent ages using the "bport" option but I was getting nowhere. I could not get the traffic inside the VMs to route. So I changed the bridge interface to the same as eth0 - ipv4 - and it now works OK. Here is my setup: Zones fw firewall lan ipv4 kvm ipv4 Interfaces lan eth0 detect dhcp kvm br0 detect dhcp,bridge,routeback Policy fw all ACCEPT lan fw REJECT kvm fw ACCEPT all all DROP Rules ACCEPT lan fw icmp ACCEPT lan fw tcp ssh,https where "lan" is the local area network and "kvm" is the zone for the bridge which handles the VMs and their virtual network interfaces. As you can see, for the management interface I''m allowing icmp traffic for ping and SSH and HTTPS. I must stress that this machine is not connected directly to the internet but lives inside a secure LAN. So why bother running a firewall? Well this is a test for a machine that will be hosted in a data centre and will be connected directly to the internet. Now it''s working but have I simply taken the easy route here when setting this up? Or should I try to get the kvm zone working as "bport"? Has anyone else setup a machine running a bridge for virtual machines? I''ve searched the documentation and this mailing list, but documentation is inconsistent for this setup. Thank you ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev