I am trying to configure a firewall (shorewall) for Domain0 and found this document: http://www.shorewall.net/Xen.html I had tried to simply install shorewall as I have done many times before on non-Xen systems but could not get traffic through the interfaces (eth0, eth1). The document above seems to imply that both eth0 and xenbr0 interfaces have to be configured. All I am interested in is controlling traffic to and from Domain0, not the domUs. I want shorewall installed on each domU. Anyone have experience with this? Do domUs have special considerations when installing iptables rules? Can I use iptables in Domain0 on eth0 like a non-Xen system? Regards, David Koski david.nospham@kosmosisland.com _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wednesday 22 February 2006 08:48, David Koski wrote:> I am trying to configure a firewall (shorewall) for Domain0 and > found this document: > > http://www.shorewall.net/Xen.html > > I had tried to simply install shorewall as I have done many times > before on non-Xen systems but could not get traffic through the > interfaces (eth0, eth1). > > The document above seems to imply that both eth0 and xenbr0 > interfaces have to be configured. All I am interested in is > controlling traffic to and from Domain0, not the domUs. I want > shorewall installed on each domU. Anyone have experience with > this? Do domUs have special considerations when installing > iptables rules? Can I use iptables in Domain0 on eth0 like a > non-Xen system?If you kernel is built with CONFIG_BRIDGE_NETFILTER=y (which most are), you cannot totally ignore the bridge in Dom0 when configuring your firewall. There are a couple of approaches you can take to modify a standard Shorewall sample configuration to do what you want though: a) - Add ipv4 zone ''xen'' to /etc/shorewall/zones - add the following entry to /etc/shorewall/interfaces: xen xenbr0 routeback b) - Define explicit policies for all of your zone combinations - change the all->all policy to ACCEPT (with no logging) I prefer a). It is similar to what I do (see http://www.shorewall.net/XenMyWay.html). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wednesday 22 February 2006 01:14 pm, Tom Eastep wrote: <snip>> If you kernel is built with CONFIG_BRIDGE_NETFILTER=y (which most are), you > cannot totally ignore the bridge in Dom0 when configuring your firewall. > There are a couple of approaches you can take to modify a standard Shorewall > sample configuration to do what you want though: > > a) > - Add ipv4 zone ''xen'' to /etc/shorewall/zones > - add the following entry to /etc/shorewall/interfaces: > > xen xenbr0 routeback > > b) > - Define explicit policies for all of your zone combinations > - change the all->all policy to ACCEPT (with no logging) > > I prefer a). It is similar to what I do (see > http://www.shorewall.net/XenMyWay.html).Thanks Tom. Since I have eth0 and eth1 I have put this in zones: fw firewall xen0 ipv4 xen1 ipv4 ..and this in interfaces: xen0 xenbr0 detect routeback xen1 xenbr1 detect routeback Perhaps xen0 would be better named loc and xen1 named dmz. Is that it? I have printed XenMyWay.html but it is going to take a while to absorb. Regards, David Koski david.nospham@kosmosisland.com _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wednesday 22 February 2006 13:49, David Koski wrote:> > Thanks Tom. Since I have eth0 and eth1 I have put this in zones: > > fw firewall > xen0 ipv4 > xen1 ipv4 > > ..and this in interfaces: > > xen0 xenbr0 detect routeback > xen1 xenbr1 detect routeback > > Perhaps xen0 would be better named loc and xen1 named dmz.Shorewall attaches absolutely no meaning to zone names so you can call them ''foo'' and ''bar'' if you like; whatever has meaning to you.> > Is that it?Looks fine. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wednesday 22 February 2006 04:33 pm, Tom Eastep wrote:> On Wednesday 22 February 2006 13:49, David Koski wrote: > > > > > Thanks Tom. Since I have eth0 and eth1 I have put this in zones: > > > > fw firewall > > xen0 ipv4 > > xen1 ipv4 > > > > ..and this in interfaces: > > > > xen0 xenbr0 detect routeback > > xen1 xenbr1 detect routeback > > > > Perhaps xen0 would be better named loc and xen1 named dmz. > > Shorewall attaches absolutely no meaning to zone names so you can call them > ''foo'' and ''bar'' if you like; whatever has meaning to you. > > > > > Is that it? > > Looks fine.I must be missing something because shorewall blocks all access. eth0=192.168.0.99 eth1=64.175.19.254 Here are my files: interfaces: loc xenbr0 detect routeback net xenbr1 detect routeback,norfc1918 params: LOG=ULOG policy: $FW all ACCEPT net all DROP $LOG loc all DROP $LOG all all REJECT $LOG ACCEPT loc $FW tcp 22 ACCEPT net:64.175.19.240/28 $FW tcp 22 ACCEPT net:64.175.19.34 $FW tcp 22 ACCEPT net:65.183.195.218 $FW tcp 22 ACCEPT loc $FW icmp - - - 5/s ec:10 ACCEPT net $FW icmp - - - 5/s ec:10 zones: fw firewall # Domain 0 loc ipv4 net ipv4 Thanks in advance. David Koski david@kosmosisland.com _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
David Koski wrote:> On Wednesday 22 February 2006 04:33 pm, Tom Eastep wrote: >> On Wednesday 22 February 2006 13:49, David Koski wrote: >> >>> Thanks Tom. Since I have eth0 and eth1 I have put this in zones: >>> >>> fw firewall >>> xen0 ipv4 >>> xen1 ipv4 >>> >>> ..and this in interfaces: >>> >>> xen0 xenbr0 detect routeback >>> xen1 xenbr1 detect routeback >>> >>> Perhaps xen0 would be better named loc and xen1 named dmz. >> Shorewall attaches absolutely no meaning to zone names so you can call them >> ''foo'' and ''bar'' if you like; whatever has meaning to you. >> >>> Is that it? >> Looks fine. > > I must be missing something because shorewall blocks all access. >David, Please submit a full problem report (see http://www.shorewall.net/support.htm) to the Shorewall User''s list. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users