Hi All, I'm trying to use shorewall to manage the firewall of a xen dom0 installation but not for the bridges.
I'm using shorewall-perl 4.0.8-1 on a Debian testing. Basically I want to allow all traffic between the virtual interfaces connected to the bridge called "lan" in the zone "lan". Because the virtual interfaces are added at runtime to the bridge I can't enumerate them in the shorewall configuration following the tutorial available at http://www.shorewall.net/bridge-Shorewall-perl.html Also the release notes /usr/share/doc/shorewall-perl/releasenotes.txt.gz states that: Bridge ports must now be defined in /etc/shorewall/interfaces. So, if I understand correctly currently there isn't a way to allow the traffic in the bridge in an implicit way. A little extract from my configuration. $ sudo brctl show bridge name bridge id STP enabled interfaces lan 8000.feffffffffff no xen1fw.0 aptproxy.0 [and so on] $ sudo cat /etc/shorewall/zones | grep lan lan ipv4 $ sudo cat /etc/shorewall/policy | egrep 'lan|all' lan lan ACCEPT info all all DROP info $ sudo cat /etc/shorewall/interfaces | grep lan lan lan detect routefilter,bridge n $ sudo dmesg | grep DROP | head -n1 Mar 19 23:01:53 xen1 kernel: Shorewall:FORWARD:DROP:IN=lan OUT=lan PHYSIN=xen1fw.0 PHYSOUT=aptproxy.0 SRC=10.200.0.254 DST=10.200.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52487 SEQ=4 Shorewall seems to block all traffic inside the bridge because it goes in the FORWARD chain (default DROP), which has no target lan2lan and the lan2lan chain hasn't any reference... Even if I explicit the ip range for example in /etc/shorewall/rules ACCEPT lan:10.0.0.0/8 lan:10.0.0.0/8 the lan2lan chain will continue to have 0 reference. Maybe I don't have got the full view to understand why shorewall work in this way and if I could reach what I want, which seem to me pretty simple to express. For now I use this workaround in the script /etc/shorewall/start #!/bin/sh NUM=`iptables --line-numbers -nL FORWARD | sed -n '2,$p' | grep -si drop | head -n 1 | cut -d ' ' -f1` iptables -I FORWARD $NUM -i lan -o lan -j lan2lan Thanks in advance for your suggestions, Daniele Pizzolli ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
