Mark Clarke wrote: ong. > > I am still a bit confused about the protection offered though. If there > is no real firewall traffic going through the ursa zone then shouldn't > the lines in policy disallow access from all, and the net zone in > particular, to the firewall? > > all fw ACCEPT > fw all ACCEPT > > Maybe the gap in my understanding is that ursa/firewall is protected by > the dmz zone rules/policy? Maybe this line in /etc/interfaces is the > part I am missing? i.e dmz == all doms including dom0. > > dmz xenbr0:vif+ routeback > > I can understand that everything on peth0 should be allowed in as it is > essentially in promiscuous mode and needs to forward/broadcast all > traffic through to the bridge. Then shorewall just needs to ensure that > only legitimate traffic is allowed through the virtual interfaces.
Mark,
It sounds like you are confused about the purpose of this particular
firewall example. From the article:
In this example, we will assume that the system is behind a second
firewall that restricts incoming traffic so that we only have to
worry about protecting the local LAN from the systems running in the
DomU's.
Sounds like you mssed that assumption.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
