Shorewall users - Apr 2011 - kvm with brided network

hi,
i''ve got a virtual linux host with bridged network with 4 guest: 3
linux
and 1 windows. in case of the linux host and the 3 linux guest all has
it''s own shorewall configuration. but in case of the windows guest i
can''t do this.
is it possible to use shorewall to filter only windows guest traffic on
the host itself? the host has br0 (as bridge) and vnet0-3 for the guests
where vnet3 is the windows guest. in this case how should i define:
zones, interfaces, policy ? while i''d not like to disturb other guest
traffic on the host (ie. use there own firewall in the guests).
thanks in advance.
regards.

-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

On Apr 28, 2011, at 3:08 PM, Farkas Levente <lfarkas@lfarkas.org> wrote:
> hi,
> i''ve got a virtual linux host with bridged network with 4 guest: 3
linux
> and 1 windows. in case of the linux host and the 3 linux guest all has
> it''s own shorewall configuration. but in case of the windows guest
i
> can''t do this.
> is it possible to use shorewall to filter only windows guest traffic on
> the host itself? the host has br0 (as bridge) and vnet0-3 for the guests
> where vnet3 is the windows guest. in this case how should i define:
> zones, interfaces, policy ? while i''d not like to disturb other
guest
> traffic on the host (ie. use there own firewall in the guests).
> thanks in advance.
> regards.
Yes, it is possible. But before I can give you details, I need to know if the
box''s external interface is also a part on the bridge.

Thanks,
Tom
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

On 04/29/2011 01:15 AM, Tom Eastep wrote:
> 
> On Apr 28, 2011, at 3:08 PM, Farkas Levente <lfarkas@lfarkas.org>
wrote:
> 
>> hi,
>> i''ve got a virtual linux host with bridged network with 4
guest: 3 linux
>> and 1 windows. in case of the linux host and the 3 linux guest all has
>> it''s own shorewall configuration. but in case of the windows
guest i
>> can''t do this.
>> is it possible to use shorewall to filter only windows guest traffic on
>> the host itself? the host has br0 (as bridge) and vnet0-3 for the
guests
>> where vnet3 is the windows guest. in this case how should i define:
>> zones, interfaces, policy ? while i''d not like to disturb
other guest
>> traffic on the host (ie. use there own firewall in the guests).
>> thanks in advance.
>> regards.
> 
> Yes, it is possible. But before I can give you details, I need to know if
the box''s external interface is also a part on the bridge.
yes. it''s one physical ethernet card and running 4 guest (and the host)
while br0 has one valid public ip address.

it''s the setup:
# brctl show
bridge name	bridge id		STP enabled	interfaces
br0		8000.6cf049b9800a	no		eth0
							vnet0
							vnet1
							vnet2
							vnet3
# ifconfig
br0       Link encap:Ethernet  HWaddr 6C:F0:49:B9:80:0A
          inet addr:1.2.3.4  Bcast:1.2.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:78537495 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13333536 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:7250322026 (6.7 GiB)  TX bytes:58699652446 (54.6 GiB)

eth0      Link encap:Ethernet  HWaddr 6C:F0:49:B9:80:0A
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:141686837 errors:0 dropped:0 overruns:0 frame:0
          TX packets:114685992 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:32429824910 (30.2 GiB)  TX bytes:120019867392 (111.7 GiB)
          Interrupt:35 Base address:0xe000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:220184 errors:0 dropped:0 overruns:0 frame:0
          TX packets:220184 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:316739812 (302.0 MiB)  TX bytes:316739812 (302.0 MiB)

vnet0     Link encap:Ethernet  HWaddr FE:54:00:B5:A9:34
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5623576 errors:0 dropped:0 overruns:0 frame:0
          TX packets:61595953 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:15444682121 (14.3 GiB)  TX bytes:11060142699 (10.3 GiB)

vnet1     Link encap:Ethernet  HWaddr FE:54:00:09:71:2B
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22643389 errors:0 dropped:0 overruns:0 frame:0
          TX packets:75916886 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:31250603040 (29.1 GiB)  TX bytes:7726089254 (7.1 GiB)

vnet2     Link encap:Ethernet  HWaddr FE:54:00:1F:F7:5D
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15754986 errors:0 dropped:0 overruns:0 frame:0
          TX packets:67798786 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:11375672734 (10.5 GiB)  TX bytes:15335707117 (14.2 GiB)

vnet3     Link encap:Ethernet  HWaddr FE:54:00:14:E8:B9
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:244377 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3603432 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:20385018 (19.4 MiB)  TX bytes:833931605 (795.2 MiB)



-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

On 04/29/2011 04:43 AM, Farkas Levente wrote:
> yes. it''s one physical ethernet card and running 4 guest (and the
host)
> while br0 has one valid public ip address.
> 
> it''s the setup:
> # brctl show
> bridge name	bridge id		STP enabled	interfaces
> br0		8000.6cf049b9800a	no		eth0
> 							vnet0
> 							vnet1
> 							vnet2
> 							vnet3
> # ifconfig
> br0       Link encap:Ethernet  HWaddr 6C:F0:49:B9:80:0A
>           inet addr:1.2.3.4  Bcast:1.2.3.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:78537495 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:13333536 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:7250322026 (6.7 GiB)  TX bytes:58699652446 (54.6 GiB)
> 
> eth0      Link encap:Ethernet  HWaddr 6C:F0:49:B9:80:0A
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:141686837 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:114685992 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:32429824910 (30.2 GiB)  TX bytes:120019867392 (111.7
GiB)
>           Interrupt:35 Base address:0xe000
> 
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:220184 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:220184 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:316739812 (302.0 MiB)  TX bytes:316739812 (302.0 MiB)
> 
> vnet0     Link encap:Ethernet  HWaddr FE:54:00:B5:A9:34
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:5623576 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:61595953 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:500
>           RX bytes:15444682121 (14.3 GiB)  TX bytes:11060142699 (10.3 GiB)
> 
> vnet1     Link encap:Ethernet  HWaddr FE:54:00:09:71:2B
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:22643389 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:75916886 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:500
>           RX bytes:31250603040 (29.1 GiB)  TX bytes:7726089254 (7.1 GiB)
> 
> vnet2     Link encap:Ethernet  HWaddr FE:54:00:1F:F7:5D
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:15754986 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:67798786 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:500
>           RX bytes:11375672734 (10.5 GiB)  TX bytes:15335707117 (14.2 GiB)
> 
> vnet3     Link encap:Ethernet  HWaddr FE:54:00:14:E8:B9
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:244377 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:3603432 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:500
>           RX bytes:20385018 (19.4 MiB)  TX bytes:833931605 (795.2 MiB)
Okay; here is how I would do it (assuming that the Windows box is vnet3):

shorewall.conf:

...
IMPLICIT_CONTINUE=No
...

zones:

fw		firewall
world		ipv4
net:world	bport
dmz:world	bport
win:dmz		bport

policy:

net	dmz	ACCEPT
net	all	DROP	info
dmz	net	ACCEPT
win	net	ACCEPT		#You might want to change this
fw	world	ACCEPT
all	all	REJECT	info

interfaces:

world	br0		-	bridge
net	br0:eth0
win	br0:vnet3
dmz	br0:vnet+

HTH,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

On 04/29/2011 04:08 PM, Tom Eastep wrote:
> On 04/29/2011 04:43 AM, Farkas Levente wrote:
> 
>> yes. it''s one physical ethernet card and running 4 guest (and
the host)
>> while br0 has one valid public ip address.
>>
>> it''s the setup:
>> # brctl show
>> bridge name	bridge id		STP enabled	interfaces
>> br0		8000.6cf049b9800a	no		eth0
>> 							vnet0
>> 							vnet1
>> 							vnet2
>> 							vnet3
>> # ifconfig
>> br0       Link encap:Ethernet  HWaddr 6C:F0:49:B9:80:0A
>>           inet addr:1.2.3.4  Bcast:1.2.3.255  Mask:255.255.255.0
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:78537495 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:13333536 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:0
>>           RX bytes:7250322026 (6.7 GiB)  TX bytes:58699652446 (54.6
GiB)
>>
>> eth0      Link encap:Ethernet  HWaddr 6C:F0:49:B9:80:0A
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:141686837 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:114685992 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:1000
>>           RX bytes:32429824910 (30.2 GiB)  TX bytes:120019867392 (111.7
GiB)
>>           Interrupt:35 Base address:0xe000
>>
>> lo        Link encap:Local Loopback
>>           inet addr:127.0.0.1  Mask:255.0.0.0
>>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>>           RX packets:220184 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:220184 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:0
>>           RX bytes:316739812 (302.0 MiB)  TX bytes:316739812 (302.0
MiB)
>>
>> vnet0     Link encap:Ethernet  HWaddr FE:54:00:B5:A9:34
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:5623576 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:61595953 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:500
>>           RX bytes:15444682121 (14.3 GiB)  TX bytes:11060142699 (10.3
GiB)
>>
>> vnet1     Link encap:Ethernet  HWaddr FE:54:00:09:71:2B
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:22643389 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:75916886 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:500
>>           RX bytes:31250603040 (29.1 GiB)  TX bytes:7726089254 (7.1
GiB)
>>
>> vnet2     Link encap:Ethernet  HWaddr FE:54:00:1F:F7:5D
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:15754986 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:67798786 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:500
>>           RX bytes:11375672734 (10.5 GiB)  TX bytes:15335707117 (14.2
GiB)
>>
>> vnet3     Link encap:Ethernet  HWaddr FE:54:00:14:E8:B9
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:244377 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:3603432 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:500
>>           RX bytes:20385018 (19.4 MiB)  TX bytes:833931605 (795.2 MiB)
> 
> Okay; here is how I would do it (assuming that the Windows box is vnet3):
> 
> shorewall.conf:
> 
> ...
> IMPLICIT_CONTINUE=No
> ...
> 
> zones:
> 
> fw		firewall
> world		ipv4
> net:world	bport
> dmz:world	bport
> win:dmz		bport
> 
> policy:
> 
> net	dmz	ACCEPT
> net	all	DROP	info
> dmz	net	ACCEPT
> win	net	ACCEPT		#You might want to change this
> fw	world	ACCEPT
> all	all	REJECT	info
> 
> interfaces:
> 
> world	br0		-	bridge
> net	br0:eth0
> win	br0:vnet3
> dmz	br0:vnet+
before this setup i''ve this in the rules:
SSH(ACCEPT)     net:$ADMIN_NET  fw
which was working, but after that i''m no longer able to access to the
host:-(
so in this case what is the right rule? net should have to be world or?
and what''s the reason of the:
net	all	DROP	info
in the middle of the policy file when there is a reject at the end?
thanks.

-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 05/30/2011 12:05 AM, Farkas Levente wrote:
> before this setup i''ve this in the rules:
> SSH(ACCEPT)     net:$ADMIN_NET  fw
> which was working, but after that i''m no longer able to access to
the
> host:-(
> so in this case what is the right rule? net should have to be world or?
''...no longer able to access..'' isn''t enough to go
on. I would at least
need to see what log message is generated when you try to access (the
output of ''shorewall dump'' collected right after you tried to
access
would be better) in order to tell you what''s wrong.
> and what''s the reason of the:
> net	all	DROP	info
> in the middle of the policy file when there is a reject at the end?
So the box and it''s VMs are stealth from the net.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 05/30/2011 04:56 PM, Tom Eastep wrote:
> On 05/30/2011 12:05 AM, Farkas Levente wrote:
> 
>> before this setup i''ve this in the rules:
>> SSH(ACCEPT)     net:$ADMIN_NET  fw
>> which was working, but after that i''m no longer able to access
to the
>> host:-(
>> so in this case what is the right rule? net should have to be world or?
> 
> ''...no longer able to access..'' isn''t enough to
go on. I would at least
this means i got "Connection refused" when i try to ssh.
but if i replace:
SSH(ACCEPT)     net:$ADMIN_NET  fw
with
SSH(ACCEPT)     world:$ADMIN_NET  fw
than i can connect, but in this case i can connect from everywhere not
just from $ADMIN_NET.
so what does the net and world means in this case? of course $ADMIN_NET
is the public ip''s of the host from the net where i''d like to
access ssh.
> need to see what log message is generated when you try to access (the
> output of ''shorewall dump'' collected right after you
tried to access
> would be better) in order to tell you what''s wrong.
attached.
>> and what''s the reason of the:
>> net	all	DROP	info
>> in the middle of the policy file when there is a reject at the end?
> 
> So the box and it''s VMs are stealth from the net.
all other guest has it''s own shorewall and win guest has rules on the
host. so why is it needed? and anyway there is a
all     all             REJECT
at the end of policy file

-- 
  Levente                               "Si vis pacem para bellum!"


------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger. 
Installation''s a snap, and flexible recovery options mean your data is
safe,
secure and there when you need it. Data protection magic?
Nope - It''s vRanger. Get your free trial download today. 
http://p.sf.net/sfu/quest-sfdev2dev

On 05/31/2011 02:38 AM, Farkas Levente wrote:
> On 05/30/2011 04:56 PM, Tom Eastep wrote:
>> On 05/30/2011 12:05 AM, Farkas Levente wrote:
>>
>>> before this setup i''ve this in the rules:
>>> SSH(ACCEPT)     net:$ADMIN_NET  fw
>>> which was working, but after that i''m no longer able to
access to the
>>> host:-(
>>> so in this case what is the right rule? net should have to be world
or?
>>
>> ''...no longer able to access..'' isn''t enough
to go on. I would at least
> 
> this means i got "Connection refused" when i try to ssh.
> but if i replace:
> SSH(ACCEPT)     net:$ADMIN_NET  fw
> with
> SSH(ACCEPT)     world:$ADMIN_NET  fw
> than i can connect, but in this case i can connect from everywhere not
> just from $ADMIN_NET.
> so what does the net and world means in this case? of course $ADMIN_NET
> is the public ip''s of the host from the net where i''d
like to access ssh.
> 
>> need to see what log message is generated when you try to access (the
>> output of ''shorewall dump'' collected right after you
tried to access
>> would be better) in order to tell you what''s wrong.
> 
> attached.
What does ''cat /proc/sys/net/bridge/bridge-nf-call-iptables''
show? If it
shows ''0'', then you need to change your /etc/sysctl.conf to
set it to 1.
If it shows ''1'', then there is something wrong with physdev
match on
your system because the following rules don''t seem to be matched:

    0     0 net2fw     all  --  br0    *       0.0.0.0/0
0.0.0.0/0           PHYSDEV match --physdev-in eth0
    0     0 hird2fw    all  --  br0    *       0.0.0.0/0
0.0.0.0/0           PHYSDEV match --physdev-in vnet3
    0     0 dmz2fw     all  --  br0    *       0.0.0.0/0
0.0.0.0/0           PHYSDEV match --physdev-in vnet+

Any incoming traffic should match one of those three rules, yet it is
falling through to this rule.

  787 96669 world2fw   all  --  br0    *       0.0.0.0/0
0.0.0.0/0

Contrast that behavior with bridge rules on my own firewall:

60274 3869K lan-fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0           PHYSDEV match --physdev-in eth1 policy match dir in
pol none
 7175  596K wlan-fw    all  --  *      *       0.0.0.0/0
0.0.0.0/0           PHYSDEV match --physdev-in eth2 policy match dir in
pol none
    0     0 loc-fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0           policy match dir in pol none

Here, ''lan'' and ''wlan'' are zones associated
with br1 ports eth1 and eth2
respectively. Both ''lan'' and ''wlan'' are
sub-zones of ''loc'', but no
packets are falling through to the ''loc_fw'' chain.
> 
>>> and what''s the reason of the:
>>> net	all	DROP	info
>>> in the middle of the policy file when there is a reject at the end?
>>
>> So the box and it''s VMs are stealth from the net.
> 
> all other guest has it''s own shorewall and win guest has rules on
the
> host. so why is it needed? and anyway there is a
> all     all             REJECT
> at the end of policy file
> 
Fine -- if you want the net->fw policy to be REJECT rather than DROP
then remove the net->all policy. I''m not going to argue with you
about
it; it''s your configuration, not mine. But under DOS conditions, I
prefer to simply drop incoming packets rather than generate a second
storm of outgoing reply packets in response.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger. 
Installation''s a snap, and flexible recovery options mean your data is
safe,
secure and there when you need it. Data protection magic?
Nope - It''s vRanger. Get your free trial download today. 
http://p.sf.net/sfu/quest-sfdev2dev

On 05/31/2011 03:50 PM, Tom Eastep wrote:
> On 05/31/2011 02:38 AM, Farkas Levente wrote:
>> On 05/30/2011 04:56 PM, Tom Eastep wrote:
>>> On 05/30/2011 12:05 AM, Farkas Levente wrote:
>>>
>>>> before this setup i''ve this in the rules:
>>>> SSH(ACCEPT)     net:$ADMIN_NET  fw
>>>> which was working, but after that i''m no longer able
to access to the
>>>> host:-(
>>>> so in this case what is the right rule? net should have to be
world or?
>>>
>>> ''...no longer able to access..'' isn''t
enough to go on. I would at least
>>
>> this means i got "Connection refused" when i try to ssh.
>> but if i replace:
>> SSH(ACCEPT)     net:$ADMIN_NET  fw
>> with
>> SSH(ACCEPT)     world:$ADMIN_NET  fw
>> than i can connect, but in this case i can connect from everywhere not
>> just from $ADMIN_NET.
>> so what does the net and world means in this case? of course $ADMIN_NET
>> is the public ip''s of the host from the net where i''d
like to access ssh.
>>
>>> need to see what log message is generated when you try to access
(the
>>> output of ''shorewall dump'' collected right after
you tried to access
>>> would be better) in order to tell you what''s wrong.
>>
>> attached.
> 
> What does ''cat
/proc/sys/net/bridge/bridge-nf-call-iptables'' show? If it
> shows ''0'', then you need to change your /etc/sysctl.conf
to set it to 1.
> If it shows ''1'', then there is something wrong with
physdev match on
> your system because the following rules don''t seem to be matched:
it''s 0. should i''ve to set by hand in /etc/sysctl.conf?
(it''d be nice if
shorewall can set it like net.ipv4.ip_forward).
this set by kvm by default in case of bridge setup (may it''d be useful
to add to the docs).
anyway thanks, now it seems to working:-)

-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger. 
Installation''s a snap, and flexible recovery options mean your data is
safe,
secure and there when you need it. Data protection magic?
Nope - It''s vRanger. Get your free trial download today. 
http://p.sf.net/sfu/quest-sfdev2dev

On 5/31/11 7:36 AM, Farkas Levente wrote:
> 
> it''s 0. should i''ve to set by hand in /etc/sysctl.conf?
Yes, or in /etc/shorewall/init
> (it''d be nice if shorewall can set it like net.ipv4.ip_forward).
I had already added that code before I got your response :-) It will be
included in 4.4.20.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger. 
Installation''s a snap, and flexible recovery options mean your data is
safe,
secure and there when you need it. Data protection magic?
Nope - It''s vRanger. Get your free trial download today. 
http://p.sf.net/sfu/quest-sfdev2dev

FYI:
this''s what''s added to/etc/sysctl.conf by libvirtd with kvm on
rhel/fedora:

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

regards.


On Tue, May 31, 2011 at 16:51, Tom Eastep <teastep@shorewall.net>
wrote:
> On 5/31/11 7:36 AM, Farkas Levente wrote:
>
>>
>> it''s 0. should i''ve to set by hand in
/etc/sysctl.conf?
>
> Yes, or in /etc/shorewall/init
>
>> (it''d be nice if shorewall can set it like
net.ipv4.ip_forward).
>
> I had already added that code before I got your response :-) It will be
> included in 4.4.20.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>


-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation''s a snap, and flexible recovery options mean your data is
safe,
secure and there when you need it. Discover what all the cheering''s
about.
Get your free trial download today. 
http://p.sf.net/sfu/quest-dev2dev2

On 06/05/2011 07:59 AM, Farkas Levente wrote:
> FYI:
> this''s what''s added to/etc/sysctl.conf by libvirtd with
kvm on rhel/fedora:
> 
> # Disable netfilter on bridges.
> net.bridge.bridge-nf-call-ip6tables = 0
> net.bridge.bridge-nf-call-iptables = 0
> net.bridge.bridge-nf-call-arptables = 0
Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation''s a snap, and flexible recovery options mean your data is
safe,
secure and there when you need it. Discover what all the cheering''s
about.
Get your free trial download today. 
http://p.sf.net/sfu/quest-dev2dev2