I''ve spent a lot of time going through different suggestions for shorewall with libvirt, but I haven''t yet come across someone trying to do what I am doing, and the "best practice" isn''t jumping out at me. The server has both an external interface (eth0) and an internal (eth1). Libvirt''s default interface of virbr0 comes up with the 192.168.122 subnet. Right now I''m just routing between it, but I''d like for some virtual guests to be bridged to eth0, some to eth1, and some to remain on virbr0 or even a future virbr1,2,x. The system is Fedora 15. Advice on best practices for multiple bridges? Thanks ------------------------------------------------------------------------------ RSA® Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
On Nov 1, 2011, at 10:11 AM, Brian W. Neu wrote:> I''ve spent a lot of time going through different suggestions for > shorewall with libvirt, but I haven''t yet come across someone trying to > do what I am doing, and the "best practice" isn''t jumping out at me. > > The server has both an external interface (eth0) and an internal > (eth1). Libvirt''s default interface of virbr0 comes up with the > 192.168.122 subnet. Right now I''m just routing between it, but I''d like > for some virtual guests to be bridged to eth0, some to eth1, and some to > remain on virbr0 or even a future virbr1,2,x. > > The system is Fedora 15. > > Advice on best practices for multiple bridges?I have no recommendation. I gave up on libvirt a couple of years ago. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA® Conference 2012 Save $700 by Nov 18 Register now! http://p.sf.net/sfu/rsa-sfdev2dev1
Er, uhhhhh. Lemme rephrase. How would one handle multiple bridges and keep playing nice with shorewall? (I don''t really have a plan B) -- Sent from my mobile phone. Please excuse my brevity. Brian W. Neu Advanced Open Systems, Inc. 404-452-0043 (m) Tom Eastep <teastep@shorewall.net> wrote: On Nov 1, 2011, at 10:11 AM, Brian W. Neu wrote:> I''ve spent a lot of time going through different suggestions for > shorewall with libvirt, but I haven''t yet come across someone trying to > do what I am doing, and the "best practice" isn''t jumping out at me. > > The server has both an external interface (eth0) and an internal > (eth1). Libvirt''s default interface of virbr0 comes up with the > 192.168.122 subnet. Right now I''m just routing between it, but I''d like > for some virtual guests to be bridged to eth0, some to eth1, and some to > remain on virbr0 or even a future virbr1,2,x. > > The system is Fedora 15. > > Advice on best practices for multiple bridges?I have no recommendation. I gave up on libvirt a couple of years ago. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \_____________________________________________ _____________________________________________ RSA® Conference 2012 Save $700 by Nov 18 Register now! http://p.sf.net/sfu/rsa-sfdev2dev1 _____________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ RSA® Conference 2012 Save $700 by Nov 18 Register now! http://p.sf.net/sfu/rsa-sfdev2dev1
On Nov 1, 2011, at 7:35 PM, Brian W. Neu wrote:> Er, uhhhhh. Lemme rephrase. How would one handle multiple bridges and keep playing nice with shorewall? > > (I don''t really have a plan B)If you create a rational IP configuration, Shorewall can handle it. In short -- this isn''t a Shorewall question. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA® Conference 2012 Save $700 by Nov 18 Register now! http://p.sf.net/sfu/rsa-sfdev2dev1
On Tue, 2011-11-01 at 20:27 -0700, Tom Eastep wrote:> > If you create a rational IP configuration, Shorewall can handle it. > > In short -- this isn''t a Shorewall question.That having been said, there are a couple of things to keep in mind when considering using bridges with Shorewall. - You can define zones by bridge port. - You can filter traffic originating from those ''bridge-port'' zones. - You cannot filter traffic from non-bridge-port zones to individual ''bridge-port'' zones. This restriction is imposed by Netfilter, not Shorewall. Example 1 (routed firewall): _________ | |--vzone1 net<--eth0->firewall<--->| bridge |--vzone2 |_________|--vzone3 You can write rules for vzoneN->net You can write rules for vzoneN->vzoneM You can write rules for vzoneN->firewall You can write rules for firewall->vzone* only You can write rules for net->vzone* only Example 2 (bridged firewall) _________ | |--vzone1 net<--eth0-->| bridge |--vzone2 |_________|--vzone3 You can write rules for all zone pairs except for fw->vzoneN; you can only write rules for fw->vzone*. Hope this helps, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA® Conference 2012 Save $700 by Nov 18 Register now! http://p.sf.net/sfu/rsa-sfdev2dev1
You''re the best Tom! Been swamped with client emergencies, but I think this has brought things into enough focus to get me across the finish line. On 11/2/2011 10:19 AM, Tom Eastep wrote: > On Tue, 2011-11-01 at 20:27 -0700, Tom Eastep wrote: >> >> If you create a rational IP configuration, Shorewall can handle it. >> >> In short -- this isn''t a Shorewall question. > > That having been said, there are a couple of things to keep in mind when > considering using bridges with Shorewall. > > - You can define zones by bridge port. > - You can filter traffic originating from those ''bridge-port'' zones. > - You cannot filter traffic from non-bridge-port zones to individual > ''bridge-port'' zones. This restriction is imposed by Netfilter, not > Shorewall. > > Example 1 (routed firewall): > _________ > | |--vzone1 > net<--eth0->firewall<--->| bridge |--vzone2 > |_________|--vzone3 > > You can write rules for vzoneN->net > You can write rules for vzoneN->vzoneM > You can write rules for vzoneN->firewall > You can write rules for firewall->vzone* only > You can write rules for net->vzone* only > > Example 2 (bridged firewall) > _________ > | |--vzone1 > net<--eth0-->| bridge |--vzone2 > |_________|--vzone3 > > You can write rules for all zone pairs except for fw->vzoneN; you can > only write rules for fw->vzone*. > > Hope this helps, > -Tom > > > ------------------------------------------------------------------------------ > RSA® Conference 2012 > Save $700 by Nov 18 > Register now! > http://p.sf.net/sfu/rsa-sfdev2dev1 > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Brian W. Neu Principal Advanced Open Systems, Inc. Technology Applied for Business aosystems1 (skype) 678.310.7890 (w) 404.452.0043 (c) ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
Hi,> That having been said, there are a couple of things to keep in mind > when considering using bridges with Shorewall. > > - You can define zones by bridge port. > - You can filter traffic originating from those ''bridge-port'' zones. > - You cannot filter traffic from non-bridge-port zones to individual > ''bridge-port'' zones. This restriction is imposed by Netfilter, not > Shorewall.Alright, this is interesting to me as well. But what is an individual bridge port? I assume that it''s one ethernet device that has been added to the bridge. So then, does this mean that filtering between, say, eth1 and vzone1 cannot be done?> Example 1 (routed firewall):(..snip..)> Example 2 (bridged firewall)(..snip..) Am I right when I assume that the bridge in example 1 has no IP? I have wondered whether Linux could be configured to have a bridge with no IP and a dummy device that functions as a port for connections from firewall to bridge. Is the bridge in example 2 the firewall/fw zone? Last question: Xen currently suggests to disable arp on the bridgeport (so if I have a bridge br0 and eth0 is a member of it, one would do ''ip link set dev eth0 arp off'') and to give the ports a mac of fe:ff:ff:ff:ff:ff. Any thoughts on this? Clearly I''m almost getting it. :) Mark. ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
On Nov 13, 2011, at 11:48 AM, Mark van Dijk wrote:> Hi, > >> That having been said, there are a couple of things to keep in mind >> when considering using bridges with Shorewall. >> >> - You can define zones by bridge port. >> - You can filter traffic originating from those ''bridge-port'' zones. >> - You cannot filter traffic from non-bridge-port zones to individual >> ''bridge-port'' zones. This restriction is imposed by Netfilter, not >> Shorewall. > > Alright, this is interesting to me as well. But what is an individual > bridge port? I assume that it''s one ethernet device that has been added > to the bridge. So then, does this mean that filtering between, say, > eth1 and vzone1 cannot be done?Filtering from vzone1 to eth1 can be done, but not eth1 to vzone1.> >> Example 1 (routed firewall): > (..snip..) >> Example 2 (bridged firewall) > (..snip..) > > Am I right when I assume that the bridge in example 1 has no IP?No.> I have > wondered whether Linux could be configured to have a bridge with no IP > and a dummy device that functions as a port for connections from > firewall to bridge. >You can create a veth pair (ip link add type veth), and configure one with an IP address and add the other as a port to the bridge.> Is the bridge in example 2 the firewall/fw zone?You can think of it that way.> > Last question: Xen currently suggests to disable arp on the bridgeport > (so if I have a bridge br0 and eth0 is a member of it, one would do ''ip > link set dev eth0 arp off'') and to give the ports a mac of > fe:ff:ff:ff:ff:ff. Any thoughts on this?No. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
On Nov 13, 2011, at 2:53 PM, Tom Eastep wrote:> > You can create a veth pair (ip link add type veth), and configure one with an IP address and add the other as a port to the bridge. >I should add that it would be challenging to configure Shorewall to accommodate this configuration. I''ll see what I can do about that for 4.4.26. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
> I should add that it would be challenging to configure Shorewall to > accommodate this configuration. I''ll see what I can do about that for > 4.4.26.Alright, that''s nice. Thanks for the pointers and looking forward to it. Mark. ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
On Mon, 2011-11-14 at 00:31 +0000, Mark van Dijk wrote:> > I should add that it would be challenging to configure Shorewall to > > accommodate this configuration. I''ll see what I can do about that for > > 4.4.26.I''ve looked at this a bit more and adding the back-to-back veth interfaces doesn''t help all that much. ---- z1 / net <-> firewall vethI <-> vethJ -- bridge ---- z2 \ ---- z3 While we can filter traffic entering the bridge via vethJ to the individual zones zN, we can''t tell whether that traffic came from the net or from the firewall itself. In the case where the zN are virtual machines, each VM typically has a fixed IP address. In that case, it is already easy to limit traffic from the net and firewall to the individual VMs using their IP address, without the need for bport zones at all: ---- vm1 / net <-> firewall br0 ---- vm2 \ ---- vm3 zones: fw firewall net ipv4 vms ipv4 policy fw vms REJECT net vms DROP ... interfaces: net ethN ... vms br0 ... params: VMIP1=w.z.y.z1 VMIP2=w.z.y.z2 ... VM1=vms:$VMIP1 VM2=vms:$VMIP2 ... rules: ACCEPT net $VM1 tcp 80 ACCEPT fw,net $VM2 tcp 25 ... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1