The script takes the remarkable steps of clearing the Netfilter ruleset on 'xend start' and restores it on 'xend stop'.
Given that xend is started at stage 13 and Shorewall at stage 6, this means that 'xend start' effectively isolates the system (the stupid script doesn't change the policies associated with the built-in chains which are set to DENY by Shorewall).
I'm not going to change Shorewall to deal with this madness. My recommendation is:
a) If you want to use NAT with a domU, then let Shorewall do it; don't use Xen's NAT.
b) Either:
Edit /etc/xen/scripts/network-multinet and delete or comment out
all calls to 'manage_iptables'.
or
(RPM-based systems) Edit /etc/init.d/shorewall[-lite] and
change:
# Should-Start: VMware
to
# Should-Start: VMware xend
Note that this last choice will start all of your servers before
starting Shorewall -- you've been warned.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
